To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 636
- compare with another revision
- download diff
- download tarball
- view history from revision 636
- Committer: Teddy Hogeborn
- Date: 2013-10-26 19:05:21 UTC
- Revision ID: teddy@recompile.se-20131026190521-giagilisbyciox2h
Fall back to /var/run for pidfile if /run is not a directory.
This is for old (possibly non-Debian) systems which have not migrated
from /var/run to /run yet.
* init.d-mandos (PIDFILE): Fall back to /var/run/mandos.pid if /run is
not a directory.
* mandos (pidfilename): - '' -
* mandos.xml (FILES): Document fallback to /var/run/mandos.pid if /run
is not a directory.
Reported-by: Nathanael D. Noblet <nathanael@gnat.ca>
Suggested-by: Nathanael D. Noblet <nathanael@gnat.ca>
This is for old (possibly non-Debian) systems which have not migrated
from /var/run to /run yet.
* init.d-mandos (PIDFILE): Fall back to /var/run/mandos.pid if /run is
not a directory.
* mandos (pidfilename): - '' -
* mandos.xml (FILES): Document fallback to /var/run/mandos.pid if /run
is not a directory.
Reported-by: Nathanael D. Noblet <nathanael@gnat.ca>
Suggested-by: Nathanael D. Noblet <nathanael@gnat.ca>
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/tests
- debian/upstream
- dracut-module
- plugin-helpers
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2013 Teddy Hogeborn
15
# Copyright © 2008-2013 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
try:
44
import SocketServer as socketserver
45
except ImportError:
46
import socketserver
39
import SocketServer as socketserver
47
40
import socket
48
41
import argparse
49
42
import datetime
50
43
import errno
51
try:
52
import ConfigParser as configparser
53
except ImportError:
54
import configparser
44
import gnutls.crypto
45
import gnutls.connection
46
import gnutls.errors
47
import gnutls.library.functions
48
import gnutls.library.constants
49
import gnutls.library.types
50
import ConfigParser as configparser
55
51
import sys
56
52
import re
57
53
import os
66
62
import struct
67
63
import fcntl
68
64
import functools
69
try:
70
import cPickle as pickle
71
except ImportError:
72
import pickle
65
import cPickle as pickle
73
66
import multiprocessing
74
67
import types
75
68
import binascii
76
69
import tempfile
77
70
import itertools
78
71
import collections
79
import codecs
80
import unittest
81
import random
82
72
83
73
import dbus
84
74
import dbus.service
85
import gi
86
from gi.repository import GLib
75
import gobject
76
import avahi
87
77
from dbus.mainloop.glib import DBusGMainLoop
88
78
import ctypes
89
79
import ctypes.util
90
80
import xml.dom.minidom
91
81
import inspect
92
82
93
if sys.version_info.major == 2:
94
__metaclass__ = type
95
str = unicode
96
97
# Add collections.abc.Callable if it does not exist
98
try:
99
collections.abc.Callable
100
except AttributeError:
101
class abc:
102
Callable = collections.Callable
103
collections.abc = abc
104
del abc
105
106
# Show warnings by default
107
if not sys.warnoptions:
108
import warnings
109
warnings.simplefilter("default")
110
111
# Try to find the value of SO_BINDTODEVICE:
112
try:
113
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
114
# newer, and it is also the most natural place for it:
83
try:
115
84
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
116
85
except AttributeError:
117
86
try:
118
# This is where SO_BINDTODEVICE was up to and including Python
119
# 2.6, and also 3.2:
120
87
from IN import SO_BINDTODEVICE
121
88
except ImportError:
122
# In Python 2.7 it seems to have been removed entirely.
123
# Try running the C preprocessor:
124
try:
125
cc = subprocess.Popen(["cc", "--language=c", "-E",
126
"/dev/stdin"],
127
stdin=subprocess.PIPE,
128
stdout=subprocess.PIPE)
129
stdout = cc.communicate(
130
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
131
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
132
except (OSError, ValueError, IndexError):
133
# No value found
134
SO_BINDTODEVICE = None
135
136
if sys.version_info < (3, 2):
137
configparser.Configparser = configparser.SafeConfigParser
138
139
version = "1.8.9"
89
SO_BINDTODEVICE = None
90
91
version = "1.6.2"
140
92
stored_state_file = "clients.pickle"
141
93
142
94
logger = logging.getLogger()
143
logging.captureWarnings(True) # Show warnings via the logging system
144
syslogger = None
95
syslogger = (logging.handlers.SysLogHandler
96
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
97
address = str("/dev/log")))
145
98
146
99
try:
147
if_nametoindex = ctypes.cdll.LoadLibrary(
148
ctypes.util.find_library("c")).if_nametoindex
100
if_nametoindex = (ctypes.cdll.LoadLibrary
101
(ctypes.util.find_library("c"))
102
.if_nametoindex)
149
103
except (OSError, AttributeError):
150
151
104
def if_nametoindex(interface):
152
105
"Get an interface index the hard way, i.e. using fcntl()"
153
106
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
154
107
with contextlib.closing(socket.socket()) as s:
155
108
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
156
struct.pack(b"16s16x", interface))
157
interface_index = struct.unpack("I", ifreq[16:20])[0]
109
struct.pack(str("16s16x"),
110
interface))
111
interface_index = struct.unpack(str("I"),
112
ifreq[16:20])[0]
158
113
return interface_index
159
114
160
115
161
def copy_function(func):
162
"""Make a copy of a function"""
163
if sys.version_info.major == 2:
164
return types.FunctionType(func.func_code,
165
func.func_globals,
166
func.func_name,
167
func.func_defaults,
168
func.func_closure)
169
else:
170
return types.FunctionType(func.__code__,
171
func.__globals__,
172
func.__name__,
173
func.__defaults__,
174
func.__closure__)
175
176
177
116
def initlogger(debug, level=logging.WARNING):
178
117
"""init logger and add loglevel"""
179
180
global syslogger
181
syslogger = (logging.handlers.SysLogHandler(
182
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
183
address="/dev/log"))
118
184
119
syslogger.setFormatter(logging.Formatter
185
120
('Mandos [%(process)d]: %(levelname)s:'
186
121
' %(message)s'))
187
122
logger.addHandler(syslogger)
188
123
189
124
if debug:
190
125
console = logging.StreamHandler()
191
126
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
201
136
pass
202
137
203
138
204
class PGPEngine:
139
class PGPEngine(object):
205
140
"""A simple class for OpenPGP symmetric encryption & decryption"""
206
207
141
def __init__(self):
208
142
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
209
self.gpg = "gpg"
210
try:
211
output = subprocess.check_output(["gpgconf"])
212
for line in output.splitlines():
213
name, text, path = line.split(b":")
214
if name == b"gpg":
215
self.gpg = path
216
break
217
except OSError as e:
218
if e.errno != errno.ENOENT:
219
raise
220
143
self.gnupgargs = ['--batch',
221
'--homedir', self.tempdir,
144
'--home', self.tempdir,
222
145
'--force-mdc',
223
'--quiet']
224
# Only GPG version 1 has the --no-use-agent option.
225
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
226
self.gnupgargs.append("--no-use-agent")
227
146
'--quiet',
147
'--no-use-agent']
148
228
149
def __enter__(self):
229
150
return self
230
151
231
152
def __exit__(self, exc_type, exc_value, traceback):
232
153
self._cleanup()
233
154
return False
234
155
235
156
def __del__(self):
236
157
self._cleanup()
237
158
238
159
def _cleanup(self):
239
160
if self.tempdir is not None:
240
161
# Delete contents of tempdir
241
162
for root, dirs, files in os.walk(self.tempdir,
242
topdown=False):
163
topdown = False):
243
164
for filename in files:
244
165
os.remove(os.path.join(root, filename))
245
166
for dirname in dirs:
247
168
# Remove tempdir
248
169
os.rmdir(self.tempdir)
249
170
self.tempdir = None
250
171
251
172
def password_encode(self, password):
252
173
# Passphrase can not be empty and can not contain newlines or
253
174
# NUL bytes. So we prefix it and hex encode it.
258
179
.replace(b"\n", b"\\n")
259
180
.replace(b"\0", b"\\x00"))
260
181
return encoded
261
182
262
183
def encrypt(self, data, password):
263
184
passphrase = self.password_encode(password)
264
with tempfile.NamedTemporaryFile(
265
dir=self.tempdir) as passfile:
185
with tempfile.NamedTemporaryFile(dir=self.tempdir
186
) as passfile:
266
187
passfile.write(passphrase)
267
188
passfile.flush()
268
proc = subprocess.Popen([self.gpg, '--symmetric',
189
proc = subprocess.Popen(['gpg', '--symmetric',
269
190
'--passphrase-file',
270
191
passfile.name]
271
192
+ self.gnupgargs,
272
stdin=subprocess.PIPE,
273
stdout=subprocess.PIPE,
274
stderr=subprocess.PIPE)
275
ciphertext, err = proc.communicate(input=data)
193
stdin = subprocess.PIPE,
194
stdout = subprocess.PIPE,
195
stderr = subprocess.PIPE)
196
ciphertext, err = proc.communicate(input = data)
276
197
if proc.returncode != 0:
277
198
raise PGPError(err)
278
199
return ciphertext
279
200
280
201
def decrypt(self, data, password):
281
202
passphrase = self.password_encode(password)
282
with tempfile.NamedTemporaryFile(
283
dir=self.tempdir) as passfile:
203
with tempfile.NamedTemporaryFile(dir = self.tempdir
204
) as passfile:
284
205
passfile.write(passphrase)
285
206
passfile.flush()
286
proc = subprocess.Popen([self.gpg, '--decrypt',
207
proc = subprocess.Popen(['gpg', '--decrypt',
287
208
'--passphrase-file',
288
209
passfile.name]
289
210
+ self.gnupgargs,
290
stdin=subprocess.PIPE,
291
stdout=subprocess.PIPE,
292
stderr=subprocess.PIPE)
293
decrypted_plaintext, err = proc.communicate(input=data)
211
stdin = subprocess.PIPE,
212
stdout = subprocess.PIPE,
213
stderr = subprocess.PIPE)
214
decrypted_plaintext, err = proc.communicate(input
215
= data)
294
216
if proc.returncode != 0:
295
217
raise PGPError(err)
296
218
return decrypted_plaintext
297
219
298
220
299
# Pretend that we have an Avahi module
300
class avahi:
301
"""This isn't so much a class as it is a module-like namespace."""
302
IF_UNSPEC = -1 # avahi-common/address.h
303
PROTO_UNSPEC = -1 # avahi-common/address.h
304
PROTO_INET = 0 # avahi-common/address.h
305
PROTO_INET6 = 1 # avahi-common/address.h
306
DBUS_NAME = "org.freedesktop.Avahi"
307
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
308
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
309
DBUS_PATH_SERVER = "/"
310
311
@staticmethod
312
def string_array_to_txt_array(t):
313
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
314
for s in t), signature="ay")
315
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
316
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
317
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
318
SERVER_INVALID = 0 # avahi-common/defs.h
319
SERVER_REGISTERING = 1 # avahi-common/defs.h
320
SERVER_RUNNING = 2 # avahi-common/defs.h
321
SERVER_COLLISION = 3 # avahi-common/defs.h
322
SERVER_FAILURE = 4 # avahi-common/defs.h
323
324
325
221
class AvahiError(Exception):
326
222
def __init__(self, value, *args, **kwargs):
327
223
self.value = value
328
return super(AvahiError, self).__init__(value, *args,
329
**kwargs)
330
224
super(AvahiError, self).__init__(value, *args, **kwargs)
225
def __unicode__(self):
226
return unicode(repr(self.value))
331
227
332
228
class AvahiServiceError(AvahiError):
333
229
pass
334
230
335
336
231
class AvahiGroupError(AvahiError):
337
232
pass
338
233
339
234
340
class AvahiService:
235
class AvahiService(object):
341
236
"""An Avahi (Zeroconf) service.
342
237
343
238
Attributes:
344
239
interface: integer; avahi.IF_UNSPEC or an interface index.
345
240
Used to optionally bind to the specified interface.
357
252
server: D-Bus Server
358
253
bus: dbus.SystemBus()
359
254
"""
360
361
def __init__(self,
362
interface=avahi.IF_UNSPEC,
363
name=None,
364
servicetype=None,
365
port=None,
366
TXT=None,
367
domain="",
368
host="",
369
max_renames=32768,
370
protocol=avahi.PROTO_UNSPEC,
371
bus=None):
255
256
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
257
servicetype = None, port = None, TXT = None,
258
domain = "", host = "", max_renames = 32768,
259
protocol = avahi.PROTO_UNSPEC, bus = None):
372
260
self.interface = interface
373
261
self.name = name
374
262
self.type = servicetype
383
271
self.server = None
384
272
self.bus = bus
385
273
self.entry_group_state_changed_match = None
386
387
def rename(self, remove=True):
274
275
def rename(self):
388
276
"""Derived from the Avahi example code"""
389
277
if self.rename_count >= self.max_renames:
390
278
logger.critical("No suitable Zeroconf service name found"
391
279
" after %i retries, exiting.",
392
280
self.rename_count)
393
281
raise AvahiServiceError("Too many renames")
394
self.name = str(
395
self.server.GetAlternativeServiceName(self.name))
396
self.rename_count += 1
282
self.name = unicode(self.server
283
.GetAlternativeServiceName(self.name))
397
284
logger.info("Changing Zeroconf service name to %r ...",
398
285
self.name)
399
if remove:
400
self.remove()
286
self.remove()
401
287
try:
402
288
self.add()
403
289
except dbus.exceptions.DBusException as error:
404
if (error.get_dbus_name()
405
== "org.freedesktop.Avahi.CollisionError"):
406
logger.info("Local Zeroconf service name collision.")
407
return self.rename(remove=False)
408
else:
409
logger.critical("D-Bus Exception", exc_info=error)
410
self.cleanup()
411
os._exit(1)
412
290
logger.critical("D-Bus Exception", exc_info=error)
291
self.cleanup()
292
os._exit(1)
293
self.rename_count += 1
294
413
295
def remove(self):
414
296
"""Derived from the Avahi example code"""
415
297
if self.entry_group_state_changed_match is not None:
417
299
self.entry_group_state_changed_match = None
418
300
if self.group is not None:
419
301
self.group.Reset()
420
302
421
303
def add(self):
422
304
"""Derived from the Avahi example code"""
423
305
self.remove()
440
322
dbus.UInt16(self.port),
441
323
avahi.string_array_to_txt_array(self.TXT))
442
324
self.group.Commit()
443
325
444
326
def entry_group_state_changed(self, state, error):
445
327
"""Derived from the Avahi example code"""
446
328
logger.debug("Avahi entry group state change: %i", state)
447
329
448
330
if state == avahi.ENTRY_GROUP_ESTABLISHED:
449
331
logger.debug("Zeroconf service established.")
450
332
elif state == avahi.ENTRY_GROUP_COLLISION:
452
334
self.rename()
453
335
elif state == avahi.ENTRY_GROUP_FAILURE:
454
336
logger.critical("Avahi: Error in group state changed %s",
455
str(error))
456
raise AvahiGroupError("State changed: {!s}".format(error))
457
337
unicode(error))
338
raise AvahiGroupError("State changed: {0!s}"
339
.format(error))
340
458
341
def cleanup(self):
459
342
"""Derived from the Avahi example code"""
460
343
if self.group is not None:
465
348
pass
466
349
self.group = None
467
350
self.remove()
468
351
469
352
def server_state_changed(self, state, error=None):
470
353
"""Derived from the Avahi example code"""
471
354
logger.debug("Avahi server state change: %i", state)
472
bad_states = {
473
avahi.SERVER_INVALID: "Zeroconf server invalid",
474
avahi.SERVER_REGISTERING: None,
475
avahi.SERVER_COLLISION: "Zeroconf server name collision",
476
avahi.SERVER_FAILURE: "Zeroconf server failure",
477
}
355
bad_states = { avahi.SERVER_INVALID:
356
"Zeroconf server invalid",
357
avahi.SERVER_REGISTERING: None,
358
avahi.SERVER_COLLISION:
359
"Zeroconf server name collision",
360
avahi.SERVER_FAILURE:
361
"Zeroconf server failure" }
478
362
if state in bad_states:
479
363
if bad_states[state] is not None:
480
364
if error is None:
483
367
logger.error(bad_states[state] + ": %r", error)
484
368
self.cleanup()
485
369
elif state == avahi.SERVER_RUNNING:
486
try:
487
self.add()
488
except dbus.exceptions.DBusException as error:
489
if (error.get_dbus_name()
490
== "org.freedesktop.Avahi.CollisionError"):
491
logger.info("Local Zeroconf service name"
492
" collision.")
493
return self.rename(remove=False)
494
else:
495
logger.critical("D-Bus Exception", exc_info=error)
496
self.cleanup()
497
os._exit(1)
370
self.add()
498
371
else:
499
372
if error is None:
500
373
logger.debug("Unknown state: %r", state)
501
374
else:
502
375
logger.debug("Unknown state: %r: %r", state, error)
503
376
504
377
def activate(self):
505
378
"""Derived from the Avahi example code"""
506
379
if self.server is None:
510
383
follow_name_owner_changes=True),
511
384
avahi.DBUS_INTERFACE_SERVER)
512
385
self.server.connect_to_signal("StateChanged",
513
self.server_state_changed)
386
self.server_state_changed)
514
387
self.server_state_changed(self.server.GetState())
515
388
516
389
517
390
class AvahiServiceToSyslog(AvahiService):
518
def rename(self, *args, **kwargs):
391
def rename(self):
519
392
"""Add the new name to the syslog messages"""
520
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
521
syslogger.setFormatter(logging.Formatter(
522
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
523
.format(self.name)))
393
ret = AvahiService.rename(self)
394
syslogger.setFormatter(logging.Formatter
395
('Mandos ({0}) [%(process)d]:'
396
' %(levelname)s: %(message)s'
397
.format(self.name)))
524
398
return ret
525
399
526
400
527
# Pretend that we have a GnuTLS module
528
class gnutls:
529
"""This isn't so much a class as it is a module-like namespace."""
530
531
library = ctypes.util.find_library("gnutls")
532
if library is None:
533
library = ctypes.util.find_library("gnutls-deb0")
534
_library = ctypes.cdll.LoadLibrary(library)
535
del library
536
537
# Unless otherwise indicated, the constants and types below are
538
# all from the gnutls/gnutls.h C header file.
539
540
# Constants
541
E_SUCCESS = 0
542
E_INTERRUPTED = -52
543
E_AGAIN = -28
544
CRT_OPENPGP = 2
545
CRT_RAWPK = 3
546
CLIENT = 2
547
SHUT_RDWR = 0
548
CRD_CERTIFICATE = 1
549
E_NO_CERTIFICATE_FOUND = -49
550
X509_FMT_DER = 0
551
NO_TICKETS = 1<<10
552
ENABLE_RAWPK = 1<<18
553
CTYPE_PEERS = 3
554
KEYID_USE_SHA256 = 1 # gnutls/x509.h
555
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
556
557
# Types
558
class session_int(ctypes.Structure):
559
_fields_ = []
560
session_t = ctypes.POINTER(session_int)
561
562
class certificate_credentials_st(ctypes.Structure):
563
_fields_ = []
564
certificate_credentials_t = ctypes.POINTER(
565
certificate_credentials_st)
566
certificate_type_t = ctypes.c_int
567
568
class datum_t(ctypes.Structure):
569
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
570
('size', ctypes.c_uint)]
571
572
class openpgp_crt_int(ctypes.Structure):
573
_fields_ = []
574
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
575
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
576
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
577
credentials_type_t = ctypes.c_int
578
transport_ptr_t = ctypes.c_void_p
579
close_request_t = ctypes.c_int
580
581
# Exceptions
582
class Error(Exception):
583
def __init__(self, message=None, code=None, args=()):
584
# Default usage is by a message string, but if a return
585
# code is passed, convert it to a string with
586
# gnutls.strerror()
587
self.code = code
588
if message is None and code is not None:
589
message = gnutls.strerror(code)
590
return super(gnutls.Error, self).__init__(
591
message, *args)
592
593
class CertificateSecurityError(Error):
594
pass
595
596
# Classes
597
class Credentials:
598
def __init__(self):
599
self._c_object = gnutls.certificate_credentials_t()
600
gnutls.certificate_allocate_credentials(
601
ctypes.byref(self._c_object))
602
self.type = gnutls.CRD_CERTIFICATE
603
604
def __del__(self):
605
gnutls.certificate_free_credentials(self._c_object)
606
607
class ClientSession:
608
def __init__(self, socket, credentials=None):
609
self._c_object = gnutls.session_t()
610
gnutls_flags = gnutls.CLIENT
611
if gnutls.check_version(b"3.5.6"):
612
gnutls_flags |= gnutls.NO_TICKETS
613
if gnutls.has_rawpk:
614
gnutls_flags |= gnutls.ENABLE_RAWPK
615
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
616
del gnutls_flags
617
gnutls.set_default_priority(self._c_object)
618
gnutls.transport_set_ptr(self._c_object, socket.fileno())
619
gnutls.handshake_set_private_extensions(self._c_object,
620
True)
621
self.socket = socket
622
if credentials is None:
623
credentials = gnutls.Credentials()
624
gnutls.credentials_set(self._c_object, credentials.type,
625
ctypes.cast(credentials._c_object,
626
ctypes.c_void_p))
627
self.credentials = credentials
628
629
def __del__(self):
630
gnutls.deinit(self._c_object)
631
632
def handshake(self):
633
return gnutls.handshake(self._c_object)
634
635
def send(self, data):
636
data = bytes(data)
637
data_len = len(data)
638
while data_len > 0:
639
data_len -= gnutls.record_send(self._c_object,
640
data[-data_len:],
641
data_len)
642
643
def bye(self):
644
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
645
646
# Error handling functions
647
def _error_code(result):
648
"""A function to raise exceptions on errors, suitable
649
for the 'restype' attribute on ctypes functions"""
650
if result >= 0:
651
return result
652
if result == gnutls.E_NO_CERTIFICATE_FOUND:
653
raise gnutls.CertificateSecurityError(code=result)
654
raise gnutls.Error(code=result)
655
656
def _retry_on_error(result, func, arguments):
657
"""A function to retry on some errors, suitable
658
for the 'errcheck' attribute on ctypes functions"""
659
while result < 0:
660
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
661
return _error_code(result)
662
result = func(*arguments)
663
return result
664
665
# Unless otherwise indicated, the function declarations below are
666
# all from the gnutls/gnutls.h C header file.
667
668
# Functions
669
priority_set_direct = _library.gnutls_priority_set_direct
670
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
671
ctypes.POINTER(ctypes.c_char_p)]
672
priority_set_direct.restype = _error_code
673
674
init = _library.gnutls_init
675
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
676
init.restype = _error_code
677
678
set_default_priority = _library.gnutls_set_default_priority
679
set_default_priority.argtypes = [session_t]
680
set_default_priority.restype = _error_code
681
682
record_send = _library.gnutls_record_send
683
record_send.argtypes = [session_t, ctypes.c_void_p,
684
ctypes.c_size_t]
685
record_send.restype = ctypes.c_ssize_t
686
record_send.errcheck = _retry_on_error
687
688
certificate_allocate_credentials = (
689
_library.gnutls_certificate_allocate_credentials)
690
certificate_allocate_credentials.argtypes = [
691
ctypes.POINTER(certificate_credentials_t)]
692
certificate_allocate_credentials.restype = _error_code
693
694
certificate_free_credentials = (
695
_library.gnutls_certificate_free_credentials)
696
certificate_free_credentials.argtypes = [
697
certificate_credentials_t]
698
certificate_free_credentials.restype = None
699
700
handshake_set_private_extensions = (
701
_library.gnutls_handshake_set_private_extensions)
702
handshake_set_private_extensions.argtypes = [session_t,
703
ctypes.c_int]
704
handshake_set_private_extensions.restype = None
705
706
credentials_set = _library.gnutls_credentials_set
707
credentials_set.argtypes = [session_t, credentials_type_t,
708
ctypes.c_void_p]
709
credentials_set.restype = _error_code
710
711
strerror = _library.gnutls_strerror
712
strerror.argtypes = [ctypes.c_int]
713
strerror.restype = ctypes.c_char_p
714
715
certificate_type_get = _library.gnutls_certificate_type_get
716
certificate_type_get.argtypes = [session_t]
717
certificate_type_get.restype = _error_code
718
719
certificate_get_peers = _library.gnutls_certificate_get_peers
720
certificate_get_peers.argtypes = [session_t,
721
ctypes.POINTER(ctypes.c_uint)]
722
certificate_get_peers.restype = ctypes.POINTER(datum_t)
723
724
global_set_log_level = _library.gnutls_global_set_log_level
725
global_set_log_level.argtypes = [ctypes.c_int]
726
global_set_log_level.restype = None
727
728
global_set_log_function = _library.gnutls_global_set_log_function
729
global_set_log_function.argtypes = [log_func]
730
global_set_log_function.restype = None
731
732
deinit = _library.gnutls_deinit
733
deinit.argtypes = [session_t]
734
deinit.restype = None
735
736
handshake = _library.gnutls_handshake
737
handshake.argtypes = [session_t]
738
handshake.restype = _error_code
739
handshake.errcheck = _retry_on_error
740
741
transport_set_ptr = _library.gnutls_transport_set_ptr
742
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
743
transport_set_ptr.restype = None
744
745
bye = _library.gnutls_bye
746
bye.argtypes = [session_t, close_request_t]
747
bye.restype = _error_code
748
bye.errcheck = _retry_on_error
749
750
check_version = _library.gnutls_check_version
751
check_version.argtypes = [ctypes.c_char_p]
752
check_version.restype = ctypes.c_char_p
753
754
_need_version = b"3.3.0"
755
if check_version(_need_version) is None:
756
raise self.Error("Needs GnuTLS {} or later"
757
.format(_need_version))
758
759
_tls_rawpk_version = b"3.6.6"
760
has_rawpk = bool(check_version(_tls_rawpk_version))
761
762
if has_rawpk:
763
# Types
764
class pubkey_st(ctypes.Structure):
765
_fields = []
766
pubkey_t = ctypes.POINTER(pubkey_st)
767
768
x509_crt_fmt_t = ctypes.c_int
769
770
# All the function declarations below are from gnutls/abstract.h
771
pubkey_init = _library.gnutls_pubkey_init
772
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
773
pubkey_init.restype = _error_code
774
775
pubkey_import = _library.gnutls_pubkey_import
776
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
777
x509_crt_fmt_t]
778
pubkey_import.restype = _error_code
779
780
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
781
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
782
ctypes.POINTER(ctypes.c_ubyte),
783
ctypes.POINTER(ctypes.c_size_t)]
784
pubkey_get_key_id.restype = _error_code
785
786
pubkey_deinit = _library.gnutls_pubkey_deinit
787
pubkey_deinit.argtypes = [pubkey_t]
788
pubkey_deinit.restype = None
789
else:
790
# All the function declarations below are from gnutls/openpgp.h
791
792
openpgp_crt_init = _library.gnutls_openpgp_crt_init
793
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
794
openpgp_crt_init.restype = _error_code
795
796
openpgp_crt_import = _library.gnutls_openpgp_crt_import
797
openpgp_crt_import.argtypes = [openpgp_crt_t,
798
ctypes.POINTER(datum_t),
799
openpgp_crt_fmt_t]
800
openpgp_crt_import.restype = _error_code
801
802
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
803
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
804
ctypes.POINTER(ctypes.c_uint)]
805
openpgp_crt_verify_self.restype = _error_code
806
807
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
808
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
809
openpgp_crt_deinit.restype = None
810
811
openpgp_crt_get_fingerprint = (
812
_library.gnutls_openpgp_crt_get_fingerprint)
813
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
814
ctypes.c_void_p,
815
ctypes.POINTER(
816
ctypes.c_size_t)]
817
openpgp_crt_get_fingerprint.restype = _error_code
818
819
if check_version(b"3.6.4"):
820
certificate_type_get2 = _library.gnutls_certificate_type_get2
821
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
822
certificate_type_get2.restype = _error_code
823
824
# Remove non-public functions
825
del _error_code, _retry_on_error
826
827
828
def call_pipe(connection, # : multiprocessing.Connection
829
func, *args, **kwargs):
830
"""This function is meant to be called by multiprocessing.Process
831
832
This function runs func(*args, **kwargs), and writes the resulting
833
return value on the provided multiprocessing.Connection.
834
"""
835
connection.send(func(*args, **kwargs))
836
connection.close()
837
838
839
class Client:
401
def timedelta_to_milliseconds(td):
402
"Convert a datetime.timedelta() to milliseconds"
403
return ((td.days * 24 * 60 * 60 * 1000)
404
+ (td.seconds * 1000)
405
+ (td.microseconds // 1000))
406
407
408
class Client(object):
840
409
"""A representation of a client host served by this server.
841
410
842
411
Attributes:
843
412
approved: bool(); 'None' if not yet approved/disapproved
844
413
approval_delay: datetime.timedelta(); Time to wait for approval
845
414
approval_duration: datetime.timedelta(); Duration of one approval
846
checker: multiprocessing.Process(); a running checker process used
847
to see if the client lives. 'None' if no process is
848
running.
849
checker_callback_tag: a GLib event source tag, or None
415
checker: subprocess.Popen(); a running checker process used
416
to see if the client lives.
417
'None' if no process is running.
418
checker_callback_tag: a gobject event source tag, or None
850
419
checker_command: string; External command which is run to check
851
420
if client lives. %() expansions are done at
852
421
runtime with vars(self) as dict, so that for
853
422
instance %(name)s can be used in the command.
854
checker_initiator_tag: a GLib event source tag, or None
423
checker_initiator_tag: a gobject event source tag, or None
855
424
created: datetime.datetime(); (UTC) object creation
856
425
client_structure: Object describing what attributes a client has
857
426
and is used for storing the client at exit
858
427
current_checker_command: string; current running checker_command
859
disable_initiator_tag: a GLib event source tag, or None
428
disable_initiator_tag: a gobject event source tag, or None
860
429
enabled: bool()
861
430
fingerprint: string (40 or 32 hexadecimal digits); used to
862
uniquely identify an OpenPGP client
863
key_id: string (64 hexadecimal digits); used to uniquely identify
864
a client using raw public keys
431
uniquely identify the client
865
432
host: string; available for use by the checker command
866
433
interval: datetime.timedelta(); How often to start a new checker
867
434
last_approval_request: datetime.datetime(); (UTC) or None
869
436
last_checker_status: integer between 0 and 255 reflecting exit
870
437
status of last checker. -1 reflects crashed
871
438
checker, -2 means no checker completed yet.
872
last_checker_signal: The signal which killed the last checker, if
873
last_checker_status is -1
874
439
last_enabled: datetime.datetime(); (UTC) or None
875
440
name: string; from the config file, used in log messages and
876
441
D-Bus identifiers
883
448
disabled, or None
884
449
server_settings: The server_settings dict from main()
885
450
"""
886
451
887
452
runtime_expansions = ("approval_delay", "approval_duration",
888
"created", "enabled", "expires", "key_id",
453
"created", "enabled", "expires",
889
454
"fingerprint", "host", "interval",
890
455
"last_approval_request", "last_checked_ok",
891
456
"last_enabled", "name", "timeout")
892
client_defaults = {
893
"timeout": "PT5M",
894
"extended_timeout": "PT15M",
895
"interval": "PT2M",
896
"checker": "fping -q -- %%(host)s",
897
"host": "",
898
"approval_delay": "PT0S",
899
"approval_duration": "PT1S",
900
"approved_by_default": "True",
901
"enabled": "True",
902
}
903
457
client_defaults = { "timeout": "PT5M",
458
"extended_timeout": "PT15M",
459
"interval": "PT2M",
460
"checker": "fping -q -- %%(host)s",
461
"host": "",
462
"approval_delay": "PT0S",
463
"approval_duration": "PT1S",
464
"approved_by_default": "True",
465
"enabled": "True",
466
}
467
468
def timeout_milliseconds(self):
469
"Return the 'timeout' attribute in milliseconds"
470
return timedelta_to_milliseconds(self.timeout)
471
472
def extended_timeout_milliseconds(self):
473
"Return the 'extended_timeout' attribute in milliseconds"
474
return timedelta_to_milliseconds(self.extended_timeout)
475
476
def interval_milliseconds(self):
477
"Return the 'interval' attribute in milliseconds"
478
return timedelta_to_milliseconds(self.interval)
479
480
def approval_delay_milliseconds(self):
481
return timedelta_to_milliseconds(self.approval_delay)
482
904
483
@staticmethod
905
484
def config_parser(config):
906
485
"""Construct a new dict of client settings of this form:
913
492
for client_name in config.sections():
914
493
section = dict(config.items(client_name))
915
494
client = settings[client_name] = {}
916
495
917
496
client["host"] = section["host"]
918
497
# Reformat values from string types to Python types
919
498
client["approved_by_default"] = config.getboolean(
920
499
client_name, "approved_by_default")
921
500
client["enabled"] = config.getboolean(client_name,
922
501
"enabled")
923
924
# Uppercase and remove spaces from key_id and fingerprint
925
# for later comparison purposes with return value from the
926
# key_id() and fingerprint() functions
927
client["key_id"] = (section.get("key_id", "").upper()
928
.replace(" ", ""))
502
929
503
client["fingerprint"] = (section["fingerprint"].upper()
930
504
.replace(" ", ""))
931
505
if "secret" in section:
932
client["secret"] = codecs.decode(section["secret"]
933
.encode("utf-8"),
934
"base64")
506
client["secret"] = section["secret"].decode("base64")
935
507
elif "secfile" in section:
936
508
with open(os.path.expanduser(os.path.expandvars
937
509
(section["secfile"])),
938
510
"rb") as secfile:
939
511
client["secret"] = secfile.read()
940
512
else:
941
raise TypeError("No secret or secfile for section {}"
513
raise TypeError("No secret or secfile for section {0}"
942
514
.format(section))
943
515
client["timeout"] = string_to_delta(section["timeout"])
944
516
client["extended_timeout"] = string_to_delta(
952
524
client["last_approval_request"] = None
953
525
client["last_checked_ok"] = None
954
526
client["last_checker_status"] = -2
955
527
956
528
return settings
957
958
def __init__(self, settings, name=None, server_settings=None):
529
530
def __init__(self, settings, name = None, server_settings=None):
959
531
self.name = name
960
532
if server_settings is None:
961
533
server_settings = {}
962
534
self.server_settings = server_settings
963
535
# adding all client settings
964
for setting, value in settings.items():
536
for setting, value in settings.iteritems():
965
537
setattr(self, setting, value)
966
538
967
539
if self.enabled:
968
540
if not hasattr(self, "last_enabled"):
969
541
self.last_enabled = datetime.datetime.utcnow()
973
545
else:
974
546
self.last_enabled = None
975
547
self.expires = None
976
548
977
549
logger.debug("Creating client %r", self.name)
978
logger.debug(" Key ID: %s", self.key_id)
550
# Uppercase and remove spaces from fingerprint for later
551
# comparison purposes with return value from the fingerprint()
552
# function
979
553
logger.debug(" Fingerprint: %s", self.fingerprint)
980
554
self.created = settings.get("created",
981
555
datetime.datetime.utcnow())
982
556
983
557
# attributes specific for this server instance
984
558
self.checker = None
985
559
self.checker_initiator_tag = None
988
562
self.current_checker_command = None
989
563
self.approved = None
990
564
self.approvals_pending = 0
991
self.changedstate = multiprocessing_manager.Condition(
992
multiprocessing_manager.Lock())
993
self.client_structure = [attr
994
for attr in self.__dict__.keys()
565
self.changedstate = (multiprocessing_manager
566
.Condition(multiprocessing_manager
567
.Lock()))
568
self.client_structure = [attr for attr in
569
self.__dict__.iterkeys()
995
570
if not attr.startswith("_")]
996
571
self.client_structure.append("client_structure")
997
998
for name, t in inspect.getmembers(
999
type(self), lambda obj: isinstance(obj, property)):
572
573
for name, t in inspect.getmembers(type(self),
574
lambda obj:
575
isinstance(obj,
576
property)):
1000
577
if not name.startswith("_"):
1001
578
self.client_structure.append(name)
1002
579
1003
580
# Send notice to process children that client state has changed
1004
581
def send_changedstate(self):
1005
582
with self.changedstate:
1006
583
self.changedstate.notify_all()
1007
584
1008
585
def enable(self):
1009
586
"""Start this client's checker and timeout hooks"""
1010
587
if getattr(self, "enabled", False):
1015
592
self.last_enabled = datetime.datetime.utcnow()
1016
593
self.init_checker()
1017
594
self.send_changedstate()
1018
595
1019
596
def disable(self, quiet=True):
1020
597
"""Disable this client."""
1021
598
if not getattr(self, "enabled", False):
1023
600
if not quiet:
1024
601
logger.info("Disabling client %s", self.name)
1025
602
if getattr(self, "disable_initiator_tag", None) is not None:
1026
GLib.source_remove(self.disable_initiator_tag)
603
gobject.source_remove(self.disable_initiator_tag)
1027
604
self.disable_initiator_tag = None
1028
605
self.expires = None
1029
606
if getattr(self, "checker_initiator_tag", None) is not None:
1030
GLib.source_remove(self.checker_initiator_tag)
607
gobject.source_remove(self.checker_initiator_tag)
1031
608
self.checker_initiator_tag = None
1032
609
self.stop_checker()
1033
610
self.enabled = False
1034
611
if not quiet:
1035
612
self.send_changedstate()
1036
# Do not run this again if called by a GLib.timeout_add
613
# Do not run this again if called by a gobject.timeout_add
1037
614
return False
1038
615
1039
616
def __del__(self):
1040
617
self.disable()
1041
618
1042
619
def init_checker(self):
1043
620
# Schedule a new checker to be started an 'interval' from now,
1044
621
# and every interval from then on.
1045
622
if self.checker_initiator_tag is not None:
1046
GLib.source_remove(self.checker_initiator_tag)
1047
self.checker_initiator_tag = GLib.timeout_add(
1048
random.randrange(int(self.interval.total_seconds() * 1000
1049
+ 1)),
1050
self.start_checker)
623
gobject.source_remove(self.checker_initiator_tag)
624
self.checker_initiator_tag = (gobject.timeout_add
625
(self.interval_milliseconds(),
626
self.start_checker))
1051
627
# Schedule a disable() when 'timeout' has passed
1052
628
if self.disable_initiator_tag is not None:
1053
GLib.source_remove(self.disable_initiator_tag)
1054
self.disable_initiator_tag = GLib.timeout_add(
1055
int(self.timeout.total_seconds() * 1000), self.disable)
629
gobject.source_remove(self.disable_initiator_tag)
630
self.disable_initiator_tag = (gobject.timeout_add
631
(self.timeout_milliseconds(),
632
self.disable))
1056
633
# Also start a new checker *right now*.
1057
634
self.start_checker()
1058
1059
def checker_callback(self, source, condition, connection,
1060
command):
635
636
def checker_callback(self, pid, condition, command):
1061
637
"""The checker has completed, so take appropriate actions."""
1062
# Read return code from connection (see call_pipe)
1063
returncode = connection.recv()
1064
connection.close()
1065
if self.checker is not None:
1066
self.checker.join()
1067
638
self.checker_callback_tag = None
1068
639
self.checker = None
1069
1070
if returncode >= 0:
1071
self.last_checker_status = returncode
1072
self.last_checker_signal = None
640
if os.WIFEXITED(condition):
641
self.last_checker_status = os.WEXITSTATUS(condition)
1073
642
if self.last_checker_status == 0:
1074
643
logger.info("Checker for %(name)s succeeded",
1075
644
vars(self))
1076
645
self.checked_ok()
1077
646
else:
1078
logger.info("Checker for %(name)s failed", vars(self))
647
logger.info("Checker for %(name)s failed",
648
vars(self))
1079
649
else:
1080
650
self.last_checker_status = -1
1081
self.last_checker_signal = -returncode
1082
651
logger.warning("Checker for %(name)s crashed?",
1083
652
vars(self))
1084
return False
1085
653
1086
654
def checked_ok(self):
1087
655
"""Assert that the client has been seen, alive and well."""
1088
656
self.last_checked_ok = datetime.datetime.utcnow()
1089
657
self.last_checker_status = 0
1090
self.last_checker_signal = None
1091
658
self.bump_timeout()
1092
659
1093
660
def bump_timeout(self, timeout=None):
1094
661
"""Bump up the timeout for this client."""
1095
662
if timeout is None:
1096
663
timeout = self.timeout
1097
664
if self.disable_initiator_tag is not None:
1098
GLib.source_remove(self.disable_initiator_tag)
665
gobject.source_remove(self.disable_initiator_tag)
1099
666
self.disable_initiator_tag = None
1100
667
if getattr(self, "enabled", False):
1101
self.disable_initiator_tag = GLib.timeout_add(
1102
int(timeout.total_seconds() * 1000), self.disable)
668
self.disable_initiator_tag = (gobject.timeout_add
669
(timedelta_to_milliseconds
670
(timeout), self.disable))
1103
671
self.expires = datetime.datetime.utcnow() + timeout
1104
672
1105
673
def need_approval(self):
1106
674
self.last_approval_request = datetime.datetime.utcnow()
1107
675
1108
676
def start_checker(self):
1109
677
"""Start a new checker subprocess if one is not running.
1110
678
1111
679
If a checker already exists, leave it running and do
1112
680
nothing."""
1113
681
# The reason for not killing a running checker is that if we
1118
686
# checkers alone, the checker would have to take more time
1119
687
# than 'timeout' for the client to be disabled, which is as it
1120
688
# should be.
1121
1122
if self.checker is not None and not self.checker.is_alive():
1123
logger.warning("Checker was not alive; joining")
1124
self.checker.join()
1125
self.checker = None
689
690
# If a checker exists, make sure it is not a zombie
691
try:
692
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
693
except (AttributeError, OSError) as error:
694
if (isinstance(error, OSError)
695
and error.errno != errno.ECHILD):
696
raise error
697
else:
698
if pid:
699
logger.warning("Checker was a zombie")
700
gobject.source_remove(self.checker_callback_tag)
701
self.checker_callback(pid, status,
702
self.current_checker_command)
1126
703
# Start a new checker if needed
1127
704
if self.checker is None:
1128
705
# Escape attributes for the shell
1129
escaped_attrs = {
1130
attr: re.escape(str(getattr(self, attr)))
1131
for attr in self.runtime_expansions}
706
escaped_attrs = dict(
707
(attr, re.escape(unicode(getattr(self, attr))))
708
for attr in
709
self.runtime_expansions)
1132
710
try:
1133
711
command = self.checker_command % escaped_attrs
1134
712
except TypeError as error:
1135
713
logger.error('Could not format string "%s"',
1136
self.checker_command,
714
self.checker_command, exc_info=error)
715
return True # Try again later
716
self.current_checker_command = command
717
try:
718
logger.info("Starting checker %r for %s",
719
command, self.name)
720
# We don't need to redirect stdout and stderr, since
721
# in normal mode, that is already done by daemon(),
722
# and in debug mode we don't want to. (Stdin is
723
# always replaced by /dev/null.)
724
# The exception is when not debugging but nevertheless
725
# running in the foreground; use the previously
726
# created wnull.
727
popen_args = {}
728
if (not self.server_settings["debug"]
729
and self.server_settings["foreground"]):
730
popen_args.update({"stdout": wnull,
731
"stderr": wnull })
732
self.checker = subprocess.Popen(command,
733
close_fds=True,
734
shell=True, cwd="/",
735
**popen_args)
736
except OSError as error:
737
logger.error("Failed to start subprocess",
1137
738
exc_info=error)
1138
return True # Try again later
1139
self.current_checker_command = command
1140
logger.info("Starting checker %r for %s", command,
1141
self.name)
1142
# We don't need to redirect stdout and stderr, since
1143
# in normal mode, that is already done by daemon(),
1144
# and in debug mode we don't want to. (Stdin is
1145
# always replaced by /dev/null.)
1146
# The exception is when not debugging but nevertheless
1147
# running in the foreground; use the previously
1148
# created wnull.
1149
popen_args = {"close_fds": True,
1150
"shell": True,
1151
"cwd": "/"}
1152
if (not self.server_settings["debug"]
1153
and self.server_settings["foreground"]):
1154
popen_args.update({"stdout": wnull,
1155
"stderr": wnull})
1156
pipe = multiprocessing.Pipe(duplex=False)
1157
self.checker = multiprocessing.Process(
1158
target=call_pipe,
1159
args=(pipe[1], subprocess.call, command),
1160
kwargs=popen_args)
1161
self.checker.start()
1162
self.checker_callback_tag = GLib.io_add_watch(
1163
GLib.IOChannel.unix_new(pipe[0].fileno()),
1164
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1165
self.checker_callback, pipe[0], command)
1166
# Re-run this periodically if run by GLib.timeout_add
739
return True
740
self.checker_callback_tag = (gobject.child_watch_add
741
(self.checker.pid,
742
self.checker_callback,
743
data=command))
744
# The checker may have completed before the gobject
745
# watch was added. Check for this.
746
try:
747
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
748
except OSError as error:
749
if error.errno == errno.ECHILD:
750
# This should never happen
751
logger.error("Child process vanished",
752
exc_info=error)
753
return True
754
raise
755
if pid:
756
gobject.source_remove(self.checker_callback_tag)
757
self.checker_callback(pid, status, command)
758
# Re-run this periodically if run by gobject.timeout_add
1167
759
return True
1168
760
1169
761
def stop_checker(self):
1170
762
"""Force the checker process, if any, to stop."""
1171
763
if self.checker_callback_tag:
1172
GLib.source_remove(self.checker_callback_tag)
764
gobject.source_remove(self.checker_callback_tag)
1173
765
self.checker_callback_tag = None
1174
766
if getattr(self, "checker", None) is None:
1175
767
return
1176
768
logger.debug("Stopping checker for %(name)s", vars(self))
1177
self.checker.terminate()
769
try:
770
self.checker.terminate()
771
#time.sleep(0.5)
772
#if self.checker.poll() is None:
773
# self.checker.kill()
774
except OSError as error:
775
if error.errno != errno.ESRCH: # No such process
776
raise
1178
777
self.checker = None
1179
778
1180
779
1181
def dbus_service_property(dbus_interface,
1182
signature="v",
1183
access="readwrite",
1184
byte_arrays=False):
780
def dbus_service_property(dbus_interface, signature="v",
781
access="readwrite", byte_arrays=False):
1185
782
"""Decorators for marking methods of a DBusObjectWithProperties to
1186
783
become properties on the D-Bus.
1187
784
1188
785
The decorated method will be called with no arguments by "Get"
1189
786
and with one argument by "Set".
1190
787
1191
788
The parameters, where they are supported, are the same as
1192
789
dbus.service.method, except there is only "signature", since the
1193
790
type from Get() and the type sent to Set() is the same.
1196
793
# "Set" method, so we fail early here:
1197
794
if byte_arrays and signature != "ay":
1198
795
raise ValueError("Byte arrays not supported for non-'ay'"
1199
" signature {!r}".format(signature))
1200
796
" signature {0!r}".format(signature))
1201
797
def decorator(func):
1202
798
func._dbus_is_property = True
1203
799
func._dbus_interface = dbus_interface
1206
802
func._dbus_name = func.__name__
1207
803
if func._dbus_name.endswith("_dbus_property"):
1208
804
func._dbus_name = func._dbus_name[:-14]
1209
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
805
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1210
806
return func
1211
1212
807
return decorator
1213
808
1214
809
1215
810
def dbus_interface_annotations(dbus_interface):
1216
811
"""Decorator for marking functions returning interface annotations
1217
812
1218
813
Usage:
1219
814
1220
815
@dbus_interface_annotations("org.example.Interface")
1221
816
def _foo(self): # Function name does not matter
1222
817
return {"org.freedesktop.DBus.Deprecated": "true",
1223
818
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1224
819
"false"}
1225
820
"""
1226
1227
821
def decorator(func):
1228
822
func._dbus_is_interface = True
1229
823
func._dbus_interface = dbus_interface
1230
824
func._dbus_name = dbus_interface
1231
825
return func
1232
1233
826
return decorator
1234
827
1235
828
1236
829
def dbus_annotations(annotations):
1237
830
"""Decorator to annotate D-Bus methods, signals or properties
1238
831
Usage:
1239
1240
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1241
"org.freedesktop.DBus.Property."
1242
"EmitsChangedSignal": "false"})
832
1243
833
@dbus_service_property("org.example.Interface", signature="b",
1244
834
access="r")
835
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
836
"org.freedesktop.DBus.Property."
837
"EmitsChangedSignal": "false"})
1245
838
def Property_dbus_property(self):
1246
839
return dbus.Boolean(False)
1247
1248
See also the DBusObjectWithAnnotations class.
1249
840
"""
1250
1251
841
def decorator(func):
1252
842
func._dbus_annotations = annotations
1253
843
return func
1254
1255
844
return decorator
1256
845
1257
846
1258
847
class DBusPropertyException(dbus.exceptions.DBusException):
1259
848
"""A base class for D-Bus property-related exceptions
1260
849
"""
1261
pass
850
def __unicode__(self):
851
return unicode(str(self))
1262
852
1263
853
1264
854
class DBusPropertyAccessException(DBusPropertyException):
1273
863
pass
1274
864
1275
865
1276
class DBusObjectWithAnnotations(dbus.service.Object):
1277
"""A D-Bus object with annotations.
1278
1279
Classes inheriting from this can use the dbus_annotations
1280
decorator to add annotations to methods or signals.
866
class DBusObjectWithProperties(dbus.service.Object):
867
"""A D-Bus object with properties.
868
869
Classes inheriting from this can use the dbus_service_property
870
decorator to expose methods as D-Bus properties. It exposes the
871
standard Get(), Set(), and GetAll() methods on the D-Bus.
1281
872
"""
1282
873
1283
874
@staticmethod
1284
875
def _is_dbus_thing(thing):
1285
876
"""Returns a function testing if an attribute is a D-Bus thing
1286
877
1287
878
If called like _is_dbus_thing("method") it returns a function
1288
879
suitable for use as predicate to inspect.getmembers().
1289
880
"""
1290
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
881
return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),
1291
882
False)
1292
883
1293
884
def _get_all_dbus_things(self, thing):
1294
885
"""Returns a generator of (name, attribute) pairs
1295
886
"""
1296
return ((getattr(athing.__get__(self), "_dbus_name", name),
887
return ((getattr(athing.__get__(self), "_dbus_name",
888
name),
1297
889
athing.__get__(self))
1298
890
for cls in self.__class__.__mro__
1299
891
for name, athing in
1300
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1301
1302
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1303
out_signature="s",
1304
path_keyword='object_path',
1305
connection_keyword='connection')
1306
def Introspect(self, object_path, connection):
1307
"""Overloading of standard D-Bus method.
1308
1309
Inserts annotation tags on methods and signals.
1310
"""
1311
xmlstring = dbus.service.Object.Introspect(self, object_path,
1312
connection)
1313
try:
1314
document = xml.dom.minidom.parseString(xmlstring)
1315
1316
for if_tag in document.getElementsByTagName("interface"):
1317
# Add annotation tags
1318
for typ in ("method", "signal"):
1319
for tag in if_tag.getElementsByTagName(typ):
1320
annots = dict()
1321
for name, prop in (self.
1322
_get_all_dbus_things(typ)):
1323
if (name == tag.getAttribute("name")
1324
and prop._dbus_interface
1325
== if_tag.getAttribute("name")):
1326
annots.update(getattr(
1327
prop, "_dbus_annotations", {}))
1328
for name, value in annots.items():
1329
ann_tag = document.createElement(
1330
"annotation")
1331
ann_tag.setAttribute("name", name)
1332
ann_tag.setAttribute("value", value)
1333
tag.appendChild(ann_tag)
1334
# Add interface annotation tags
1335
for annotation, value in dict(
1336
itertools.chain.from_iterable(
1337
annotations().items()
1338
for name, annotations
1339
in self._get_all_dbus_things("interface")
1340
if name == if_tag.getAttribute("name")
1341
)).items():
1342
ann_tag = document.createElement("annotation")
1343
ann_tag.setAttribute("name", annotation)
1344
ann_tag.setAttribute("value", value)
1345
if_tag.appendChild(ann_tag)
1346
# Fix argument name for the Introspect method itself
1347
if (if_tag.getAttribute("name")
1348
== dbus.INTROSPECTABLE_IFACE):
1349
for cn in if_tag.getElementsByTagName("method"):
1350
if cn.getAttribute("name") == "Introspect":
1351
for arg in cn.getElementsByTagName("arg"):
1352
if (arg.getAttribute("direction")
1353
== "out"):
1354
arg.setAttribute("name",
1355
"xml_data")
1356
xmlstring = document.toxml("utf-8")
1357
document.unlink()
1358
except (AttributeError, xml.dom.DOMException,
1359
xml.parsers.expat.ExpatError) as error:
1360
logger.error("Failed to override Introspection method",
1361
exc_info=error)
1362
return xmlstring
1363
1364
1365
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1366
"""A D-Bus object with properties.
1367
1368
Classes inheriting from this can use the dbus_service_property
1369
decorator to expose methods as D-Bus properties. It exposes the
1370
standard Get(), Set(), and GetAll() methods on the D-Bus.
1371
"""
1372
892
inspect.getmembers(cls,
893
self._is_dbus_thing(thing)))
894
1373
895
def _get_dbus_property(self, interface_name, property_name):
1374
896
"""Returns a bound method if one exists which is a D-Bus
1375
897
property with the specified name and interface.
1376
898
"""
1377
for cls in self.__class__.__mro__:
1378
for name, value in inspect.getmembers(
1379
cls, self._is_dbus_thing("property")):
899
for cls in self.__class__.__mro__:
900
for name, value in (inspect.getmembers
901
(cls,
902
self._is_dbus_thing("property"))):
1380
903
if (value._dbus_name == property_name
1381
904
and value._dbus_interface == interface_name):
1382
905
return value.__get__(self)
1383
906
1384
907
# No such property
1385
raise DBusPropertyNotFound("{}:{}.{}".format(
1386
self.dbus_object_path, interface_name, property_name))
1387
1388
@classmethod
1389
def _get_all_interface_names(cls):
1390
"""Get a sequence of all interfaces supported by an object"""
1391
return (name for name in set(getattr(getattr(x, attr),
1392
"_dbus_interface", None)
1393
for x in (inspect.getmro(cls))
1394
for attr in dir(x))
1395
if name is not None)
1396
1397
@dbus.service.method(dbus.PROPERTIES_IFACE,
1398
in_signature="ss",
908
raise DBusPropertyNotFound(self.dbus_object_path + ":"
909
+ interface_name + "."
910
+ property_name)
911
912
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
1399
913
out_signature="v")
1400
914
def Get(self, interface_name, property_name):
1401
915
"""Standard D-Bus property Get() method, see D-Bus standard.
1407
921
if not hasattr(value, "variant_level"):
1408
922
return value
1409
923
return type(value)(value, variant_level=value.variant_level+1)
1410
924
1411
925
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1412
926
def Set(self, interface_name, property_name, value):
1413
927
"""Standard D-Bus property Set() method, see D-Bus standard.
1419
933
# The byte_arrays option is not supported yet on
1420
934
# signatures other than "ay".
1421
935
if prop._dbus_signature != "ay":
1422
raise ValueError("Byte arrays not supported for non-"
1423
"'ay' signature {!r}"
1424
.format(prop._dbus_signature))
1425
value = dbus.ByteArray(bytes(value))
936
raise ValueError
937
value = dbus.ByteArray(b''.join(chr(byte)
938
for byte in value))
1426
939
prop(value)
1427
1428
@dbus.service.method(dbus.PROPERTIES_IFACE,
1429
in_signature="s",
940
941
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
1430
942
out_signature="a{sv}")
1431
943
def GetAll(self, interface_name):
1432
944
"""Standard D-Bus property GetAll() method, see D-Bus
1433
945
standard.
1434
946
1435
947
Note: Will not include properties with access="write".
1436
948
"""
1437
949
properties = {}
1447
959
if not hasattr(value, "variant_level"):
1448
960
properties[name] = value
1449
961
continue
1450
properties[name] = type(value)(
1451
value, variant_level=value.variant_level + 1)
962
properties[name] = type(value)(value, variant_level=
963
value.variant_level+1)
1452
964
return dbus.Dictionary(properties, signature="sv")
1453
1454
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1455
def PropertiesChanged(self, interface_name, changed_properties,
1456
invalidated_properties):
1457
"""Standard D-Bus PropertiesChanged() signal, see D-Bus
1458
standard.
1459
"""
1460
pass
1461
965
1462
966
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1463
967
out_signature="s",
1464
968
path_keyword='object_path',
1465
969
connection_keyword='connection')
1466
970
def Introspect(self, object_path, connection):
1467
971
"""Overloading of standard D-Bus method.
1468
972
1469
973
Inserts property tags and interface annotation tags.
1470
974
"""
1471
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1472
object_path,
1473
connection)
975
xmlstring = dbus.service.Object.Introspect(self, object_path,
976
connection)
1474
977
try:
1475
978
document = xml.dom.minidom.parseString(xmlstring)
1476
1477
979
def make_tag(document, name, prop):
1478
980
e = document.createElement("property")
1479
981
e.setAttribute("name", name)
1480
982
e.setAttribute("type", prop._dbus_signature)
1481
983
e.setAttribute("access", prop._dbus_access)
1482
984
return e
1483
1484
985
for if_tag in document.getElementsByTagName("interface"):
1485
986
# Add property tags
1486
987
for tag in (make_tag(document, name, prop)
1489
990
if prop._dbus_interface
1490
991
== if_tag.getAttribute("name")):
1491
992
if_tag.appendChild(tag)
1492
# Add annotation tags for properties
1493
for tag in if_tag.getElementsByTagName("property"):
1494
annots = dict()
1495
for name, prop in self._get_all_dbus_things(
1496
"property"):
1497
if (name == tag.getAttribute("name")
1498
and prop._dbus_interface
1499
== if_tag.getAttribute("name")):
1500
annots.update(getattr(
1501
prop, "_dbus_annotations", {}))
1502
for name, value in annots.items():
1503
ann_tag = document.createElement(
1504
"annotation")
1505
ann_tag.setAttribute("name", name)
1506
ann_tag.setAttribute("value", value)
1507
tag.appendChild(ann_tag)
993
# Add annotation tags
994
for typ in ("method", "signal", "property"):
995
for tag in if_tag.getElementsByTagName(typ):
996
annots = dict()
997
for name, prop in (self.
998
_get_all_dbus_things(typ)):
999
if (name == tag.getAttribute("name")
1000
and prop._dbus_interface
1001
== if_tag.getAttribute("name")):
1002
annots.update(getattr
1003
(prop,
1004
"_dbus_annotations",
1005
{}))
1006
for name, value in annots.iteritems():
1007
ann_tag = document.createElement(
1008
"annotation")
1009
ann_tag.setAttribute("name", name)
1010
ann_tag.setAttribute("value", value)
1011
tag.appendChild(ann_tag)
1012
# Add interface annotation tags
1013
for annotation, value in dict(
1014
itertools.chain.from_iterable(
1015
annotations().iteritems()
1016
for name, annotations in
1017
self._get_all_dbus_things("interface")
1018
if name == if_tag.getAttribute("name")
1019
)).iteritems():
1020
ann_tag = document.createElement("annotation")
1021
ann_tag.setAttribute("name", annotation)
1022
ann_tag.setAttribute("value", value)
1023
if_tag.appendChild(ann_tag)
1508
1024
# Add the names to the return values for the
1509
1025
# "org.freedesktop.DBus.Properties" methods
1510
1026
if (if_tag.getAttribute("name")
1529
1045
return xmlstring
1530
1046
1531
1047
1532
try:
1533
dbus.OBJECT_MANAGER_IFACE
1534
except AttributeError:
1535
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1536
1537
1538
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1539
"""A D-Bus object with an ObjectManager.
1540
1541
Classes inheriting from this exposes the standard
1542
GetManagedObjects call and the InterfacesAdded and
1543
InterfacesRemoved signals on the standard
1544
"org.freedesktop.DBus.ObjectManager" interface.
1545
1546
Note: No signals are sent automatically; they must be sent
1547
manually.
1548
"""
1549
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1550
out_signature="a{oa{sa{sv}}}")
1551
def GetManagedObjects(self):
1552
"""This function must be overridden"""
1553
raise NotImplementedError()
1554
1555
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1556
signature="oa{sa{sv}}")
1557
def InterfacesAdded(self, object_path, interfaces_and_properties):
1558
pass
1559
1560
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1561
def InterfacesRemoved(self, object_path, interfaces):
1562
pass
1563
1564
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1565
out_signature="s",
1566
path_keyword='object_path',
1567
connection_keyword='connection')
1568
def Introspect(self, object_path, connection):
1569
"""Overloading of standard D-Bus method.
1570
1571
Override return argument name of GetManagedObjects to be
1572
"objpath_interfaces_and_properties"
1573
"""
1574
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1575
object_path,
1576
connection)
1577
try:
1578
document = xml.dom.minidom.parseString(xmlstring)
1579
1580
for if_tag in document.getElementsByTagName("interface"):
1581
# Fix argument name for the GetManagedObjects method
1582
if (if_tag.getAttribute("name")
1583
== dbus.OBJECT_MANAGER_IFACE):
1584
for cn in if_tag.getElementsByTagName("method"):
1585
if (cn.getAttribute("name")
1586
== "GetManagedObjects"):
1587
for arg in cn.getElementsByTagName("arg"):
1588
if (arg.getAttribute("direction")
1589
== "out"):
1590
arg.setAttribute(
1591
"name",
1592
"objpath_interfaces"
1593
"_and_properties")
1594
xmlstring = document.toxml("utf-8")
1595
document.unlink()
1596
except (AttributeError, xml.dom.DOMException,
1597
xml.parsers.expat.ExpatError) as error:
1598
logger.error("Failed to override Introspection method",
1599
exc_info=error)
1600
return xmlstring
1601
1602
1603
1048
def datetime_to_dbus(dt, variant_level=0):
1604
1049
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1605
1050
if dt is None:
1606
return dbus.String("", variant_level=variant_level)
1607
return dbus.String(dt.isoformat(), variant_level=variant_level)
1051
return dbus.String("", variant_level = variant_level)
1052
return dbus.String(dt.isoformat(),
1053
variant_level=variant_level)
1608
1054
1609
1055
1610
1056
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1612
1058
dbus.service.Object, it will add alternate D-Bus attributes with
1613
1059
interface names according to the "alt_interface_names" mapping.
1614
1060
Usage:
1615
1061
1616
1062
@alternate_dbus_interfaces({"org.example.Interface":
1617
1063
"net.example.AlternateInterface"})
1618
1064
class SampleDBusObject(dbus.service.Object):
1619
1065
@dbus.service.method("org.example.Interface")
1620
1066
def SampleDBusMethod():
1621
1067
pass
1622
1068
1623
1069
The above "SampleDBusMethod" on "SampleDBusObject" will be
1624
1070
reachable via two interfaces: "org.example.Interface" and
1625
1071
"net.example.AlternateInterface", the latter of which will have
1626
1072
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1627
1073
"true", unless "deprecate" is passed with a False value.
1628
1074
1629
1075
This works for methods and signals, and also for D-Bus properties
1630
1076
(from DBusObjectWithProperties) and interfaces (from the
1631
1077
dbus_interface_annotations decorator).
1632
1078
"""
1633
1634
1079
def wrapper(cls):
1635
1080
for orig_interface_name, alt_interface_name in (
1636
alt_interface_names.items()):
1081
alt_interface_names.iteritems()):
1637
1082
attr = {}
1638
1083
interface_names = set()
1639
1084
# Go though all attributes of the class
1641
1086
# Ignore non-D-Bus attributes, and D-Bus attributes
1642
1087
# with the wrong interface name
1643
1088
if (not hasattr(attribute, "_dbus_interface")
1644
or not attribute._dbus_interface.startswith(
1645
orig_interface_name)):
1089
or not attribute._dbus_interface
1090
.startswith(orig_interface_name)):
1646
1091
continue
1647
1092
# Create an alternate D-Bus interface name based on
1648
1093
# the current name
1649
alt_interface = attribute._dbus_interface.replace(
1650
orig_interface_name, alt_interface_name)
1094
alt_interface = (attribute._dbus_interface
1095
.replace(orig_interface_name,
1096
alt_interface_name))
1651
1097
interface_names.add(alt_interface)
1652
1098
# Is this a D-Bus signal?
1653
1099
if getattr(attribute, "_dbus_is_signal", False):
1654
1100
# Extract the original non-method undecorated
1655
1101
# function by black magic
1656
if sys.version_info.major == 2:
1657
nonmethod_func = (dict(
1102
nonmethod_func = (dict(
1658
1103
zip(attribute.func_code.co_freevars,
1659
attribute.__closure__))
1660
["func"].cell_contents)
1661
else:
1662
nonmethod_func = (dict(
1663
zip(attribute.__code__.co_freevars,
1664
attribute.__closure__))
1665
["func"].cell_contents)
1104
attribute.__closure__))["func"]
1105
.cell_contents)
1666
1106
# Create a new, but exactly alike, function
1667
1107
# object, and decorate it to be a new D-Bus signal
1668
1108
# with the alternate D-Bus interface name
1669
new_function = copy_function(nonmethod_func)
1670
new_function = (dbus.service.signal(
1671
alt_interface,
1672
attribute._dbus_signature)(new_function))
1109
new_function = (dbus.service.signal
1110
(alt_interface,
1111
attribute._dbus_signature)
1112
(types.FunctionType(
1113
nonmethod_func.func_code,
1114
nonmethod_func.func_globals,
1115
nonmethod_func.func_name,
1116
nonmethod_func.func_defaults,
1117
nonmethod_func.func_closure)))
1673
1118
# Copy annotations, if any
1674
1119
try:
1675
new_function._dbus_annotations = dict(
1676
attribute._dbus_annotations)
1120
new_function._dbus_annotations = (
1121
dict(attribute._dbus_annotations))
1677
1122
except AttributeError:
1678
1123
pass
1679
1680
1124
# Define a creator of a function to call both the
1681
1125
# original and alternate functions, so both the
1682
1126
# original and alternate signals gets sent when
1685
1129
"""This function is a scope container to pass
1686
1130
func1 and func2 to the "call_both" function
1687
1131
outside of its arguments"""
1688
1689
@functools.wraps(func2)
1690
1132
def call_both(*args, **kwargs):
1691
1133
"""This function will emit two D-Bus
1692
1134
signals by calling func1 and func2"""
1693
1135
func1(*args, **kwargs)
1694
1136
func2(*args, **kwargs)
1695
# Make wrapper function look like a D-Bus
1696
# signal
1697
for name, attr in inspect.getmembers(func2):
1698
if name.startswith("_dbus_"):
1699
setattr(call_both, name, attr)
1700
1701
1137
return call_both
1702
1138
# Create the "call_both" function and add it to
1703
1139
# the class
1708
1144
# object. Decorate it to be a new D-Bus method
1709
1145
# with the alternate D-Bus interface name. Add it
1710
1146
# to the class.
1711
attr[attrname] = (
1712
dbus.service.method(
1713
alt_interface,
1714
attribute._dbus_in_signature,
1715
attribute._dbus_out_signature)
1716
(copy_function(attribute)))
1147
attr[attrname] = (dbus.service.method
1148
(alt_interface,
1149
attribute._dbus_in_signature,
1150
attribute._dbus_out_signature)
1151
(types.FunctionType
1152
(attribute.func_code,
1153
attribute.func_globals,
1154
attribute.func_name,
1155
attribute.func_defaults,
1156
attribute.func_closure)))
1717
1157
# Copy annotations, if any
1718
1158
try:
1719
attr[attrname]._dbus_annotations = dict(
1720
attribute._dbus_annotations)
1159
attr[attrname]._dbus_annotations = (
1160
dict(attribute._dbus_annotations))
1721
1161
except AttributeError:
1722
1162
pass
1723
1163
# Is this a D-Bus property?
1726
1166
# object, and decorate it to be a new D-Bus
1727
1167
# property with the alternate D-Bus interface
1728
1168
# name. Add it to the class.
1729
attr[attrname] = (dbus_service_property(
1730
alt_interface, attribute._dbus_signature,
1731
attribute._dbus_access,
1732
attribute._dbus_get_args_options
1733
["byte_arrays"])
1734
(copy_function(attribute)))
1169
attr[attrname] = (dbus_service_property
1170
(alt_interface,
1171
attribute._dbus_signature,
1172
attribute._dbus_access,
1173
attribute
1174
._dbus_get_args_options
1175
["byte_arrays"])
1176
(types.FunctionType
1177
(attribute.func_code,
1178
attribute.func_globals,
1179
attribute.func_name,
1180
attribute.func_defaults,
1181
attribute.func_closure)))
1735
1182
# Copy annotations, if any
1736
1183
try:
1737
attr[attrname]._dbus_annotations = dict(
1738
attribute._dbus_annotations)
1184
attr[attrname]._dbus_annotations = (
1185
dict(attribute._dbus_annotations))
1739
1186
except AttributeError:
1740
1187
pass
1741
1188
# Is this a D-Bus interface?
1744
1191
# object. Decorate it to be a new D-Bus interface
1745
1192
# with the alternate D-Bus interface name. Add it
1746
1193
# to the class.
1747
attr[attrname] = (
1748
dbus_interface_annotations(alt_interface)
1749
(copy_function(attribute)))
1194
attr[attrname] = (dbus_interface_annotations
1195
(alt_interface)
1196
(types.FunctionType
1197
(attribute.func_code,
1198
attribute.func_globals,
1199
attribute.func_name,
1200
attribute.func_defaults,
1201
attribute.func_closure)))
1750
1202
if deprecate:
1751
1203
# Deprecate all alternate interfaces
1752
iname = "_AlternateDBusNames_interface_annotation{}"
1204
iname="_AlternateDBusNames_interface_annotation{0}"
1753
1205
for interface_name in interface_names:
1754
1755
1206
@dbus_interface_annotations(interface_name)
1756
1207
def func(self):
1757
return {"org.freedesktop.DBus.Deprecated":
1758
"true"}
1208
return { "org.freedesktop.DBus.Deprecated":
1209
"true" }
1759
1210
# Find an unused name
1760
1211
for aname in (iname.format(i)
1761
1212
for i in itertools.count()):
1765
1216
if interface_names:
1766
1217
# Replace the class with a new subclass of it with
1767
1218
# methods, signals, etc. as created above.
1768
if sys.version_info.major == 2:
1769
cls = type(b"{}Alternate".format(cls.__name__),
1770
(cls, ), attr)
1771
else:
1772
cls = type("{}Alternate".format(cls.__name__),
1773
(cls, ), attr)
1219
cls = type(b"{0}Alternate".format(cls.__name__),
1220
(cls,), attr)
1774
1221
return cls
1775
1776
1222
return wrapper
1777
1223
1778
1224
1779
1225
@alternate_dbus_interfaces({"se.recompile.Mandos":
1780
"se.bsnet.fukt.Mandos"})
1226
"se.bsnet.fukt.Mandos"})
1781
1227
class ClientDBus(Client, DBusObjectWithProperties):
1782
1228
"""A Client class using D-Bus
1783
1229
1784
1230
Attributes:
1785
1231
dbus_object_path: dbus.ObjectPath
1786
1232
bus: dbus.SystemBus()
1787
1233
"""
1788
1234
1789
1235
runtime_expansions = (Client.runtime_expansions
1790
+ ("dbus_object_path", ))
1791
1792
_interface = "se.recompile.Mandos.Client"
1793
1236
+ ("dbus_object_path",))
1237
1794
1238
# dbus.service.Object doesn't use super(), so we can't either.
1795
1796
def __init__(self, bus=None, *args, **kwargs):
1239
1240
def __init__(self, bus = None, *args, **kwargs):
1797
1241
self.bus = bus
1798
1242
Client.__init__(self, *args, **kwargs)
1799
1243
# Only now, when this client is initialized, can it show up on
1800
1244
# the D-Bus
1801
client_object_name = str(self.name).translate(
1245
client_object_name = unicode(self.name).translate(
1802
1246
{ord("."): ord("_"),
1803
1247
ord("-"): ord("_")})
1804
self.dbus_object_path = dbus.ObjectPath(
1805
"/clients/" + client_object_name)
1248
self.dbus_object_path = (dbus.ObjectPath
1249
("/clients/" + client_object_name))
1806
1250
DBusObjectWithProperties.__init__(self, self.bus,
1807
1251
self.dbus_object_path)
1808
1809
def notifychangeproperty(transform_func, dbus_name,
1810
type_func=lambda x: x,
1811
variant_level=1,
1812
invalidate_only=False,
1813
_interface=_interface):
1252
1253
def notifychangeproperty(transform_func,
1254
dbus_name, type_func=lambda x: x,
1255
variant_level=1):
1814
1256
""" Modify a variable so that it's a property which announces
1815
1257
its changes to DBus.
1816
1258
1817
1259
transform_fun: Function that takes a value and a variant_level
1818
1260
and transforms it to a D-Bus type.
1819
1261
dbus_name: D-Bus name of the variable
1821
1263
to the D-Bus. Default: no transform
1822
1264
variant_level: D-Bus variant level. Default: 1
1823
1265
"""
1824
attrname = "_{}".format(dbus_name)
1825
1266
attrname = "_{0}".format(dbus_name)
1826
1267
def setter(self, value):
1827
1268
if hasattr(self, "dbus_object_path"):
1828
1269
if (not hasattr(self, attrname) or
1829
1270
type_func(getattr(self, attrname, None))
1830
1271
!= type_func(value)):
1831
if invalidate_only:
1832
self.PropertiesChanged(
1833
_interface, dbus.Dictionary(),
1834
dbus.Array((dbus_name, )))
1835
else:
1836
dbus_value = transform_func(
1837
type_func(value),
1838
variant_level=variant_level)
1839
self.PropertyChanged(dbus.String(dbus_name),
1840
dbus_value)
1841
self.PropertiesChanged(
1842
_interface,
1843
dbus.Dictionary({dbus.String(dbus_name):
1844
dbus_value}),
1845
dbus.Array())
1272
dbus_value = transform_func(type_func(value),
1273
variant_level
1274
=variant_level)
1275
self.PropertyChanged(dbus.String(dbus_name),
1276
dbus_value)
1846
1277
setattr(self, attrname, value)
1847
1278
1848
1279
return property(lambda self: getattr(self, attrname), setter)
1849
1280
1850
1281
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1851
1282
approvals_pending = notifychangeproperty(dbus.Boolean,
1852
1283
"ApprovalPending",
1853
type_func=bool)
1284
type_func = bool)
1854
1285
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1855
1286
last_enabled = notifychangeproperty(datetime_to_dbus,
1856
1287
"LastEnabled")
1857
checker = notifychangeproperty(
1858
dbus.Boolean, "CheckerRunning",
1859
type_func=lambda checker: checker is not None)
1288
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1289
type_func = lambda checker:
1290
checker is not None)
1860
1291
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1861
1292
"LastCheckedOK")
1862
1293
last_checker_status = notifychangeproperty(dbus.Int16,
1865
1296
datetime_to_dbus, "LastApprovalRequest")
1866
1297
approved_by_default = notifychangeproperty(dbus.Boolean,
1867
1298
"ApprovedByDefault")
1868
approval_delay = notifychangeproperty(
1869
dbus.UInt64, "ApprovalDelay",
1870
type_func=lambda td: td.total_seconds() * 1000)
1299
approval_delay = notifychangeproperty(dbus.UInt64,
1300
"ApprovalDelay",
1301
type_func =
1302
timedelta_to_milliseconds)
1871
1303
approval_duration = notifychangeproperty(
1872
1304
dbus.UInt64, "ApprovalDuration",
1873
type_func=lambda td: td.total_seconds() * 1000)
1305
type_func = timedelta_to_milliseconds)
1874
1306
host = notifychangeproperty(dbus.String, "Host")
1875
timeout = notifychangeproperty(
1876
dbus.UInt64, "Timeout",
1877
type_func=lambda td: td.total_seconds() * 1000)
1307
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1308
type_func =
1309
timedelta_to_milliseconds)
1878
1310
extended_timeout = notifychangeproperty(
1879
1311
dbus.UInt64, "ExtendedTimeout",
1880
type_func=lambda td: td.total_seconds() * 1000)
1881
interval = notifychangeproperty(
1882
dbus.UInt64, "Interval",
1883
type_func=lambda td: td.total_seconds() * 1000)
1312
type_func = timedelta_to_milliseconds)
1313
interval = notifychangeproperty(dbus.UInt64,
1314
"Interval",
1315
type_func =
1316
timedelta_to_milliseconds)
1884
1317
checker_command = notifychangeproperty(dbus.String, "Checker")
1885
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1886
invalidate_only=True)
1887
1318
1888
1319
del notifychangeproperty
1889
1320
1890
1321
def __del__(self, *args, **kwargs):
1891
1322
try:
1892
1323
self.remove_from_connection()
1895
1326
if hasattr(DBusObjectWithProperties, "__del__"):
1896
1327
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1897
1328
Client.__del__(self, *args, **kwargs)
1898
1899
def checker_callback(self, source, condition,
1900
connection, command, *args, **kwargs):
1901
ret = Client.checker_callback(self, source, condition,
1902
connection, command, *args,
1903
**kwargs)
1904
exitstatus = self.last_checker_status
1905
if exitstatus >= 0:
1329
1330
def checker_callback(self, pid, condition, command,
1331
*args, **kwargs):
1332
self.checker_callback_tag = None
1333
self.checker = None
1334
if os.WIFEXITED(condition):
1335
exitstatus = os.WEXITSTATUS(condition)
1906
1336
# Emit D-Bus signal
1907
1337
self.CheckerCompleted(dbus.Int16(exitstatus),
1908
# This is specific to GNU libC
1909
dbus.Int64(exitstatus << 8),
1338
dbus.Int64(condition),
1910
1339
dbus.String(command))
1911
1340
else:
1912
1341
# Emit D-Bus signal
1913
1342
self.CheckerCompleted(dbus.Int16(-1),
1914
dbus.Int64(
1915
# This is specific to GNU libC
1916
(exitstatus << 8)
1917
| self.last_checker_signal),
1343
dbus.Int64(condition),
1918
1344
dbus.String(command))
1919
return ret
1920
1345
1346
return Client.checker_callback(self, pid, condition, command,
1347
*args, **kwargs)
1348
1921
1349
def start_checker(self, *args, **kwargs):
1922
old_checker_pid = getattr(self.checker, "pid", None)
1350
old_checker = self.checker
1351
if self.checker is not None:
1352
old_checker_pid = self.checker.pid
1353
else:
1354
old_checker_pid = None
1923
1355
r = Client.start_checker(self, *args, **kwargs)
1924
1356
# Only if new checker process was started
1925
1357
if (self.checker is not None
1927
1359
# Emit D-Bus signal
1928
1360
self.CheckerStarted(self.current_checker_command)
1929
1361
return r
1930
1362
1931
1363
def _reset_approved(self):
1932
1364
self.approved = None
1933
1365
return False
1934
1366
1935
1367
def approve(self, value=True):
1936
1368
self.approved = value
1937
GLib.timeout_add(int(self.approval_duration.total_seconds()
1938
* 1000), self._reset_approved)
1369
gobject.timeout_add(timedelta_to_milliseconds
1370
(self.approval_duration),
1371
self._reset_approved)
1939
1372
self.send_changedstate()
1940
1941
# D-Bus methods, signals & properties
1942
1943
# Interfaces
1944
1945
# Signals
1946
1373
1374
## D-Bus methods, signals & properties
1375
_interface = "se.recompile.Mandos.Client"
1376
1377
## Interfaces
1378
1379
@dbus_interface_annotations(_interface)
1380
def _foo(self):
1381
return { "org.freedesktop.DBus.Property.EmitsChangedSignal":
1382
"false"}
1383
1384
## Signals
1385
1947
1386
# CheckerCompleted - signal
1948
1387
@dbus.service.signal(_interface, signature="nxs")
1949
1388
def CheckerCompleted(self, exitcode, waitstatus, command):
1950
1389
"D-Bus signal"
1951
1390
pass
1952
1391
1953
1392
# CheckerStarted - signal
1954
1393
@dbus.service.signal(_interface, signature="s")
1955
1394
def CheckerStarted(self, command):
1956
1395
"D-Bus signal"
1957
1396
pass
1958
1397
1959
1398
# PropertyChanged - signal
1960
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1961
1399
@dbus.service.signal(_interface, signature="sv")
1962
1400
def PropertyChanged(self, property, value):
1963
1401
"D-Bus signal"
1964
1402
pass
1965
1403
1966
1404
# GotSecret - signal
1967
1405
@dbus.service.signal(_interface)
1968
1406
def GotSecret(self):
1971
1409
server to mandos-client
1972
1410
"""
1973
1411
pass
1974
1412
1975
1413
# Rejected - signal
1976
1414
@dbus.service.signal(_interface, signature="s")
1977
1415
def Rejected(self, reason):
1978
1416
"D-Bus signal"
1979
1417
pass
1980
1418
1981
1419
# NeedApproval - signal
1982
1420
@dbus.service.signal(_interface, signature="tb")
1983
1421
def NeedApproval(self, timeout, default):
1984
1422
"D-Bus signal"
1985
1423
return self.need_approval()
1986
1987
# Methods
1988
1424
1425
## Methods
1426
1989
1427
# Approve - method
1990
1428
@dbus.service.method(_interface, in_signature="b")
1991
1429
def Approve(self, value):
1992
1430
self.approve(value)
1993
1431
1994
1432
# CheckedOK - method
1995
1433
@dbus.service.method(_interface)
1996
1434
def CheckedOK(self):
1997
1435
self.checked_ok()
1998
1436
1999
1437
# Enable - method
2000
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2001
1438
@dbus.service.method(_interface)
2002
1439
def Enable(self):
2003
1440
"D-Bus method"
2004
1441
self.enable()
2005
1442
2006
1443
# StartChecker - method
2007
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2008
1444
@dbus.service.method(_interface)
2009
1445
def StartChecker(self):
2010
1446
"D-Bus method"
2011
1447
self.start_checker()
2012
1448
2013
1449
# Disable - method
2014
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2015
1450
@dbus.service.method(_interface)
2016
1451
def Disable(self):
2017
1452
"D-Bus method"
2018
1453
self.disable()
2019
1454
2020
1455
# StopChecker - method
2021
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2022
1456
@dbus.service.method(_interface)
2023
1457
def StopChecker(self):
2024
1458
self.stop_checker()
2025
2026
# Properties
2027
1459
1460
## Properties
1461
2028
1462
# ApprovalPending - property
2029
1463
@dbus_service_property(_interface, signature="b", access="read")
2030
1464
def ApprovalPending_dbus_property(self):
2031
1465
return dbus.Boolean(bool(self.approvals_pending))
2032
1466
2033
1467
# ApprovedByDefault - property
2034
@dbus_service_property(_interface,
2035
signature="b",
1468
@dbus_service_property(_interface, signature="b",
2036
1469
access="readwrite")
2037
1470
def ApprovedByDefault_dbus_property(self, value=None):
2038
1471
if value is None: # get
2039
1472
return dbus.Boolean(self.approved_by_default)
2040
1473
self.approved_by_default = bool(value)
2041
1474
2042
1475
# ApprovalDelay - property
2043
@dbus_service_property(_interface,
2044
signature="t",
1476
@dbus_service_property(_interface, signature="t",
2045
1477
access="readwrite")
2046
1478
def ApprovalDelay_dbus_property(self, value=None):
2047
1479
if value is None: # get
2048
return dbus.UInt64(self.approval_delay.total_seconds()
2049
* 1000)
1480
return dbus.UInt64(self.approval_delay_milliseconds())
2050
1481
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2051
1482
2052
1483
# ApprovalDuration - property
2053
@dbus_service_property(_interface,
2054
signature="t",
1484
@dbus_service_property(_interface, signature="t",
2055
1485
access="readwrite")
2056
1486
def ApprovalDuration_dbus_property(self, value=None):
2057
1487
if value is None: # get
2058
return dbus.UInt64(self.approval_duration.total_seconds()
2059
* 1000)
1488
return dbus.UInt64(timedelta_to_milliseconds(
1489
self.approval_duration))
2060
1490
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2061
1491
2062
1492
# Name - property
2063
@dbus_annotations(
2064
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2065
1493
@dbus_service_property(_interface, signature="s", access="read")
2066
1494
def Name_dbus_property(self):
2067
1495
return dbus.String(self.name)
2068
2069
# KeyID - property
2070
@dbus_annotations(
2071
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2072
@dbus_service_property(_interface, signature="s", access="read")
2073
def KeyID_dbus_property(self):
2074
return dbus.String(self.key_id)
2075
1496
2076
1497
# Fingerprint - property
2077
@dbus_annotations(
2078
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2079
1498
@dbus_service_property(_interface, signature="s", access="read")
2080
1499
def Fingerprint_dbus_property(self):
2081
1500
return dbus.String(self.fingerprint)
2082
1501
2083
1502
# Host - property
2084
@dbus_service_property(_interface,
2085
signature="s",
1503
@dbus_service_property(_interface, signature="s",
2086
1504
access="readwrite")
2087
1505
def Host_dbus_property(self, value=None):
2088
1506
if value is None: # get
2089
1507
return dbus.String(self.host)
2090
self.host = str(value)
2091
1508
self.host = unicode(value)
1509
2092
1510
# Created - property
2093
@dbus_annotations(
2094
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2095
1511
@dbus_service_property(_interface, signature="s", access="read")
2096
1512
def Created_dbus_property(self):
2097
1513
return datetime_to_dbus(self.created)
2098
1514
2099
1515
# LastEnabled - property
2100
1516
@dbus_service_property(_interface, signature="s", access="read")
2101
1517
def LastEnabled_dbus_property(self):
2102
1518
return datetime_to_dbus(self.last_enabled)
2103
1519
2104
1520
# Enabled - property
2105
@dbus_service_property(_interface,
2106
signature="b",
1521
@dbus_service_property(_interface, signature="b",
2107
1522
access="readwrite")
2108
1523
def Enabled_dbus_property(self, value=None):
2109
1524
if value is None: # get
2112
1527
self.enable()
2113
1528
else:
2114
1529
self.disable()
2115
1530
2116
1531
# LastCheckedOK - property
2117
@dbus_service_property(_interface,
2118
signature="s",
1532
@dbus_service_property(_interface, signature="s",
2119
1533
access="readwrite")
2120
1534
def LastCheckedOK_dbus_property(self, value=None):
2121
1535
if value is not None:
2122
1536
self.checked_ok()
2123
1537
return
2124
1538
return datetime_to_dbus(self.last_checked_ok)
2125
1539
2126
1540
# LastCheckerStatus - property
2127
@dbus_service_property(_interface, signature="n", access="read")
1541
@dbus_service_property(_interface, signature="n",
1542
access="read")
2128
1543
def LastCheckerStatus_dbus_property(self):
2129
1544
return dbus.Int16(self.last_checker_status)
2130
1545
2131
1546
# Expires - property
2132
1547
@dbus_service_property(_interface, signature="s", access="read")
2133
1548
def Expires_dbus_property(self):
2134
1549
return datetime_to_dbus(self.expires)
2135
1550
2136
1551
# LastApprovalRequest - property
2137
1552
@dbus_service_property(_interface, signature="s", access="read")
2138
1553
def LastApprovalRequest_dbus_property(self):
2139
1554
return datetime_to_dbus(self.last_approval_request)
2140
1555
2141
1556
# Timeout - property
2142
@dbus_service_property(_interface,
2143
signature="t",
1557
@dbus_service_property(_interface, signature="t",
2144
1558
access="readwrite")
2145
1559
def Timeout_dbus_property(self, value=None):
2146
1560
if value is None: # get
2147
return dbus.UInt64(self.timeout.total_seconds() * 1000)
1561
return dbus.UInt64(self.timeout_milliseconds())
2148
1562
old_timeout = self.timeout
2149
1563
self.timeout = datetime.timedelta(0, 0, 0, value)
2150
1564
# Reschedule disabling
2158
1572
if (getattr(self, "disable_initiator_tag", None)
2159
1573
is None):
2160
1574
return
2161
GLib.source_remove(self.disable_initiator_tag)
2162
self.disable_initiator_tag = GLib.timeout_add(
2163
int((self.expires - now).total_seconds() * 1000),
2164
self.disable)
2165
1575
gobject.source_remove(self.disable_initiator_tag)
1576
self.disable_initiator_tag = (
1577
gobject.timeout_add(
1578
timedelta_to_milliseconds(self.expires - now),
1579
self.disable))
1580
2166
1581
# ExtendedTimeout - property
2167
@dbus_service_property(_interface,
2168
signature="t",
1582
@dbus_service_property(_interface, signature="t",
2169
1583
access="readwrite")
2170
1584
def ExtendedTimeout_dbus_property(self, value=None):
2171
1585
if value is None: # get
2172
return dbus.UInt64(self.extended_timeout.total_seconds()
2173
* 1000)
1586
return dbus.UInt64(self.extended_timeout_milliseconds())
2174
1587
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2175
1588
2176
1589
# Interval - property
2177
@dbus_service_property(_interface,
2178
signature="t",
1590
@dbus_service_property(_interface, signature="t",
2179
1591
access="readwrite")
2180
1592
def Interval_dbus_property(self, value=None):
2181
1593
if value is None: # get
2182
return dbus.UInt64(self.interval.total_seconds() * 1000)
1594
return dbus.UInt64(self.interval_milliseconds())
2183
1595
self.interval = datetime.timedelta(0, 0, 0, value)
2184
1596
if getattr(self, "checker_initiator_tag", None) is None:
2185
1597
return
2186
1598
if self.enabled:
2187
1599
# Reschedule checker run
2188
GLib.source_remove(self.checker_initiator_tag)
2189
self.checker_initiator_tag = GLib.timeout_add(
2190
value, self.start_checker)
2191
self.start_checker() # Start one now, too
2192
1600
gobject.source_remove(self.checker_initiator_tag)
1601
self.checker_initiator_tag = (gobject.timeout_add
1602
(value, self.start_checker))
1603
self.start_checker() # Start one now, too
1604
2193
1605
# Checker - property
2194
@dbus_service_property(_interface,
2195
signature="s",
1606
@dbus_service_property(_interface, signature="s",
2196
1607
access="readwrite")
2197
1608
def Checker_dbus_property(self, value=None):
2198
1609
if value is None: # get
2199
1610
return dbus.String(self.checker_command)
2200
self.checker_command = str(value)
2201
1611
self.checker_command = unicode(value)
1612
2202
1613
# CheckerRunning - property
2203
@dbus_service_property(_interface,
2204
signature="b",
1614
@dbus_service_property(_interface, signature="b",
2205
1615
access="readwrite")
2206
1616
def CheckerRunning_dbus_property(self, value=None):
2207
1617
if value is None: # get
2210
1620
self.start_checker()
2211
1621
else:
2212
1622
self.stop_checker()
2213
1623
2214
1624
# ObjectPath - property
2215
@dbus_annotations(
2216
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2217
"org.freedesktop.DBus.Deprecated": "true"})
2218
1625
@dbus_service_property(_interface, signature="o", access="read")
2219
1626
def ObjectPath_dbus_property(self):
2220
return self.dbus_object_path # is already a dbus.ObjectPath
2221
1627
return self.dbus_object_path # is already a dbus.ObjectPath
1628
2222
1629
# Secret = property
2223
@dbus_annotations(
2224
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2225
"invalidates"})
2226
@dbus_service_property(_interface,
2227
signature="ay",
2228
access="write",
2229
byte_arrays=True)
1630
@dbus_service_property(_interface, signature="ay",
1631
access="write", byte_arrays=True)
2230
1632
def Secret_dbus_property(self, value):
2231
self.secret = bytes(value)
2232
1633
self.secret = str(value)
1634
2233
1635
del _interface
2234
1636
2235
1637
2236
class ProxyClient:
2237
def __init__(self, child_pipe, key_id, fpr, address):
1638
class ProxyClient(object):
1639
def __init__(self, child_pipe, fpr, address):
2238
1640
self._pipe = child_pipe
2239
self._pipe.send(('init', key_id, fpr, address))
1641
self._pipe.send(('init', fpr, address))
2240
1642
if not self._pipe.recv():
2241
raise KeyError(key_id or fpr)
2242
1643
raise KeyError()
1644
2243
1645
def __getattribute__(self, name):
2244
1646
if name == '_pipe':
2245
1647
return super(ProxyClient, self).__getattribute__(name)
2248
1650
if data[0] == 'data':
2249
1651
return data[1]
2250
1652
if data[0] == 'function':
2251
2252
1653
def func(*args, **kwargs):
2253
1654
self._pipe.send(('funcall', name, args, kwargs))
2254
1655
return self._pipe.recv()[1]
2255
2256
1656
return func
2257
1657
2258
1658
def __setattr__(self, name, value):
2259
1659
if name == '_pipe':
2260
1660
return super(ProxyClient, self).__setattr__(name, value)
2263
1663
2264
1664
class ClientHandler(socketserver.BaseRequestHandler, object):
2265
1665
"""A class to handle client connections.
2266
1666
2267
1667
Instantiated once for each connection to handle it.
2268
1668
Note: This will run in its own forked process."""
2269
1669
2270
1670
def handle(self):
2271
1671
with contextlib.closing(self.server.child_pipe) as child_pipe:
2272
1672
logger.info("TCP connection from: %s",
2273
str(self.client_address))
1673
unicode(self.client_address))
2274
1674
logger.debug("Pipe FD: %d",
2275
1675
self.server.child_pipe.fileno())
2276
2277
session = gnutls.ClientSession(self.request)
2278
2279
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2280
# "+AES-256-CBC", "+SHA1",
2281
# "+COMP-NULL", "+CTYPE-OPENPGP",
2282
# "+DHE-DSS"))
1676
1677
session = (gnutls.connection
1678
.ClientSession(self.request,
1679
gnutls.connection
1680
.X509Credentials()))
1681
1682
# Note: gnutls.connection.X509Credentials is really a
1683
# generic GnuTLS certificate credentials object so long as
1684
# no X.509 keys are added to it. Therefore, we can use it
1685
# here despite using OpenPGP certificates.
1686
1687
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1688
# "+AES-256-CBC", "+SHA1",
1689
# "+COMP-NULL", "+CTYPE-OPENPGP",
1690
# "+DHE-DSS"))
2283
1691
# Use a fallback default, since this MUST be set.
2284
1692
priority = self.server.gnutls_priority
2285
1693
if priority is None:
2286
1694
priority = "NORMAL"
2287
gnutls.priority_set_direct(session._c_object,
2288
priority.encode("utf-8"),
2289
None)
2290
1695
(gnutls.library.functions
1696
.gnutls_priority_set_direct(session._c_object,
1697
priority, None))
1698
2291
1699
# Start communication using the Mandos protocol
2292
1700
# Get protocol number
2293
1701
line = self.request.makefile().readline()
2294
1702
logger.debug("Protocol version: %r", line)
2295
1703
try:
2296
1704
if int(line.strip().split()[0]) > 1:
2297
raise RuntimeError(line)
1705
raise RuntimeError
2298
1706
except (ValueError, IndexError, RuntimeError) as error:
2299
1707
logger.error("Unknown protocol version: %s", error)
2300
1708
return
2301
1709
2302
1710
# Start GnuTLS connection
2303
1711
try:
2304
1712
session.handshake()
2305
except gnutls.Error as error:
1713
except gnutls.errors.GNUTLSError as error:
2306
1714
logger.warning("Handshake failed: %s", error)
2307
1715
# Do not run session.bye() here: the session is not
2308
1716
# established. Just abandon the request.
2309
1717
return
2310
1718
logger.debug("Handshake succeeded")
2311
1719
2312
1720
approval_required = False
2313
1721
try:
2314
if gnutls.has_rawpk:
2315
fpr = b""
2316
try:
2317
key_id = self.key_id(
2318
self.peer_certificate(session))
2319
except (TypeError, gnutls.Error) as error:
2320
logger.warning("Bad certificate: %s", error)
2321
return
2322
logger.debug("Key ID: %s", key_id)
2323
2324
else:
2325
key_id = b""
2326
try:
2327
fpr = self.fingerprint(
2328
self.peer_certificate(session))
2329
except (TypeError, gnutls.Error) as error:
2330
logger.warning("Bad certificate: %s", error)
2331
return
2332
logger.debug("Fingerprint: %s", fpr)
2333
2334
try:
2335
client = ProxyClient(child_pipe, key_id, fpr,
1722
try:
1723
fpr = self.fingerprint(self.peer_certificate
1724
(session))
1725
except (TypeError,
1726
gnutls.errors.GNUTLSError) as error:
1727
logger.warning("Bad certificate: %s", error)
1728
return
1729
logger.debug("Fingerprint: %s", fpr)
1730
1731
try:
1732
client = ProxyClient(child_pipe, fpr,
2336
1733
self.client_address)
2337
1734
except KeyError:
2338
1735
return
2339
1736
2340
1737
if client.approval_delay:
2341
1738
delay = client.approval_delay
2342
1739
client.approvals_pending += 1
2343
1740
approval_required = True
2344
1741
2345
1742
while True:
2346
1743
if not client.enabled:
2347
1744
logger.info("Client %s is disabled",
2348
client.name)
1745
client.name)
2349
1746
if self.server.use_dbus:
2350
1747
# Emit D-Bus signal
2351
1748
client.Rejected("Disabled")
2352
1749
return
2353
1750
2354
1751
if client.approved or not client.approval_delay:
2355
# We are approved or approval is disabled
1752
#We are approved or approval is disabled
2356
1753
break
2357
1754
elif client.approved is None:
2358
1755
logger.info("Client %s needs approval",
2360
1757
if self.server.use_dbus:
2361
1758
# Emit D-Bus signal
2362
1759
client.NeedApproval(
2363
client.approval_delay.total_seconds()
2364
* 1000, client.approved_by_default)
1760
client.approval_delay_milliseconds(),
1761
client.approved_by_default)
2365
1762
else:
2366
1763
logger.warning("Client %s was not approved",
2367
1764
client.name)
2369
1766
# Emit D-Bus signal
2370
1767
client.Rejected("Denied")
2371
1768
return
2372
2373
# wait until timeout or approved
1769
1770
#wait until timeout or approved
2374
1771
time = datetime.datetime.now()
2375
1772
client.changedstate.acquire()
2376
client.changedstate.wait(delay.total_seconds())
1773
client.changedstate.wait(
1774
float(timedelta_to_milliseconds(delay)
1775
/ 1000))
2377
1776
client.changedstate.release()
2378
1777
time2 = datetime.datetime.now()
2379
1778
if (time2 - time) >= delay:
2389
1788
break
2390
1789
else:
2391
1790
delay -= time2 - time
2392
2393
try:
2394
session.send(client.secret)
2395
except gnutls.Error as error:
2396
logger.warning("gnutls send failed",
2397
exc_info=error)
2398
return
2399
1791
1792
sent_size = 0
1793
while sent_size < len(client.secret):
1794
try:
1795
sent = session.send(client.secret[sent_size:])
1796
except gnutls.errors.GNUTLSError as error:
1797
logger.warning("gnutls send failed",
1798
exc_info=error)
1799
return
1800
logger.debug("Sent: %d, remaining: %d",
1801
sent, len(client.secret)
1802
- (sent_size + sent))
1803
sent_size += sent
1804
2400
1805
logger.info("Sending secret to %s", client.name)
2401
1806
# bump the timeout using extended_timeout
2402
1807
client.bump_timeout(client.extended_timeout)
2403
1808
if self.server.use_dbus:
2404
1809
# Emit D-Bus signal
2405
1810
client.GotSecret()
2406
1811
2407
1812
finally:
2408
1813
if approval_required:
2409
1814
client.approvals_pending -= 1
2410
1815
try:
2411
1816
session.bye()
2412
except gnutls.Error as error:
1817
except gnutls.errors.GNUTLSError as error:
2413
1818
logger.warning("GnuTLS bye failed",
2414
1819
exc_info=error)
2415
1820
2416
1821
@staticmethod
2417
1822
def peer_certificate(session):
2418
"Return the peer's certificate as a bytestring"
2419
try:
2420
cert_type = gnutls.certificate_type_get2(session._c_object,
2421
gnutls.CTYPE_PEERS)
2422
except AttributeError:
2423
cert_type = gnutls.certificate_type_get(session._c_object)
2424
if gnutls.has_rawpk:
2425
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2426
else:
2427
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2428
# If not a valid certificate type...
2429
if cert_type not in valid_cert_types:
2430
logger.info("Cert type %r not in %r", cert_type,
2431
valid_cert_types)
2432
# ...return invalid data
2433
return b""
1823
"Return the peer's OpenPGP certificate as a bytestring"
1824
# If not an OpenPGP certificate...
1825
if (gnutls.library.functions
1826
.gnutls_certificate_type_get(session._c_object)
1827
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1828
# ...do the normal thing
1829
return session.peer_certificate
2434
1830
list_size = ctypes.c_uint(1)
2435
cert_list = (gnutls.certificate_get_peers
1831
cert_list = (gnutls.library.functions
1832
.gnutls_certificate_get_peers
2436
1833
(session._c_object, ctypes.byref(list_size)))
2437
1834
if not bool(cert_list) and list_size.value != 0:
2438
raise gnutls.Error("error getting peer certificate")
1835
raise gnutls.errors.GNUTLSError("error getting peer"
1836
" certificate")
2439
1837
if list_size.value == 0:
2440
1838
return None
2441
1839
cert = cert_list[0]
2442
1840
return ctypes.string_at(cert.data, cert.size)
2443
2444
@staticmethod
2445
def key_id(certificate):
2446
"Convert a certificate bytestring to a hexdigit key ID"
2447
# New GnuTLS "datum" with the public key
2448
datum = gnutls.datum_t(
2449
ctypes.cast(ctypes.c_char_p(certificate),
2450
ctypes.POINTER(ctypes.c_ubyte)),
2451
ctypes.c_uint(len(certificate)))
2452
# XXX all these need to be created in the gnutls "module"
2453
# New empty GnuTLS certificate
2454
pubkey = gnutls.pubkey_t()
2455
gnutls.pubkey_init(ctypes.byref(pubkey))
2456
# Import the raw public key into the certificate
2457
gnutls.pubkey_import(pubkey,
2458
ctypes.byref(datum),
2459
gnutls.X509_FMT_DER)
2460
# New buffer for the key ID
2461
buf = ctypes.create_string_buffer(32)
2462
buf_len = ctypes.c_size_t(len(buf))
2463
# Get the key ID from the raw public key into the buffer
2464
gnutls.pubkey_get_key_id(pubkey,
2465
gnutls.KEYID_USE_SHA256,
2466
ctypes.cast(ctypes.byref(buf),
2467
ctypes.POINTER(ctypes.c_ubyte)),
2468
ctypes.byref(buf_len))
2469
# Deinit the certificate
2470
gnutls.pubkey_deinit(pubkey)
2471
2472
# Convert the buffer to a Python bytestring
2473
key_id = ctypes.string_at(buf, buf_len.value)
2474
# Convert the bytestring to hexadecimal notation
2475
hex_key_id = binascii.hexlify(key_id).upper()
2476
return hex_key_id
2477
1841
2478
1842
@staticmethod
2479
1843
def fingerprint(openpgp):
2480
1844
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2481
1845
# New GnuTLS "datum" with the OpenPGP public key
2482
datum = gnutls.datum_t(
2483
ctypes.cast(ctypes.c_char_p(openpgp),
2484
ctypes.POINTER(ctypes.c_ubyte)),
2485
ctypes.c_uint(len(openpgp)))
1846
datum = (gnutls.library.types
1847
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1848
ctypes.POINTER
1849
(ctypes.c_ubyte)),
1850
ctypes.c_uint(len(openpgp))))
2486
1851
# New empty GnuTLS certificate
2487
crt = gnutls.openpgp_crt_t()
2488
gnutls.openpgp_crt_init(ctypes.byref(crt))
1852
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1853
(gnutls.library.functions
1854
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
2489
1855
# Import the OpenPGP public key into the certificate
2490
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2491
gnutls.OPENPGP_FMT_RAW)
1856
(gnutls.library.functions
1857
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1858
gnutls.library.constants
1859
.GNUTLS_OPENPGP_FMT_RAW))
2492
1860
# Verify the self signature in the key
2493
1861
crtverify = ctypes.c_uint()
2494
gnutls.openpgp_crt_verify_self(crt, 0,
2495
ctypes.byref(crtverify))
1862
(gnutls.library.functions
1863
.gnutls_openpgp_crt_verify_self(crt, 0,
1864
ctypes.byref(crtverify)))
2496
1865
if crtverify.value != 0:
2497
gnutls.openpgp_crt_deinit(crt)
2498
raise gnutls.CertificateSecurityError(code
2499
=crtverify.value)
1866
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1867
raise (gnutls.errors.CertificateSecurityError
1868
("Verify failed"))
2500
1869
# New buffer for the fingerprint
2501
1870
buf = ctypes.create_string_buffer(20)
2502
1871
buf_len = ctypes.c_size_t()
2503
1872
# Get the fingerprint from the certificate into the buffer
2504
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2505
ctypes.byref(buf_len))
1873
(gnutls.library.functions
1874
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1875
ctypes.byref(buf_len)))
2506
1876
# Deinit the certificate
2507
gnutls.openpgp_crt_deinit(crt)
1877
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2508
1878
# Convert the buffer to a Python bytestring
2509
1879
fpr = ctypes.string_at(buf, buf_len.value)
2510
1880
# Convert the bytestring to hexadecimal notation
2512
1882
return hex_fpr
2513
1883
2514
1884
2515
class MultiprocessingMixIn:
1885
class MultiprocessingMixIn(object):
2516
1886
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2517
2518
1887
def sub_process_main(self, request, address):
2519
1888
try:
2520
1889
self.finish_request(request, address)
2521
1890
except Exception:
2522
1891
self.handle_error(request, address)
2523
1892
self.close_request(request)
2524
1893
2525
1894
def process_request(self, request, address):
2526
1895
"""Start a new process to process the request."""
2527
proc = multiprocessing.Process(target=self.sub_process_main,
2528
args=(request, address))
1896
proc = multiprocessing.Process(target = self.sub_process_main,
1897
args = (request, address))
2529
1898
proc.start()
2530
1899
return proc
2531
1900
2532
1901
2533
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
1902
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2534
1903
""" adds a pipe to the MixIn """
2535
2536
1904
def process_request(self, request, client_address):
2537
1905
"""Overrides and wraps the original process_request().
2538
1906
2539
1907
This function creates a new pipe in self.pipe
2540
1908
"""
2541
1909
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2542
1910
2543
1911
proc = MultiprocessingMixIn.process_request(self, request,
2544
1912
client_address)
2545
1913
self.child_pipe.close()
2546
1914
self.add_pipe(parent_pipe, proc)
2547
1915
2548
1916
def add_pipe(self, parent_pipe, proc):
2549
1917
"""Dummy function; override as necessary"""
2550
raise NotImplementedError()
1918
raise NotImplementedError
2551
1919
2552
1920
2553
1921
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2554
socketserver.TCPServer):
1922
socketserver.TCPServer, object):
2555
1923
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2556
1924
2557
1925
Attributes:
2558
1926
enabled: Boolean; whether this server is activated yet
2559
1927
interface: None or a network interface name (string)
2560
1928
use_ipv6: Boolean; to use IPv6 or not
2561
1929
"""
2562
2563
1930
def __init__(self, server_address, RequestHandlerClass,
2564
interface=None,
2565
use_ipv6=True,
2566
socketfd=None):
1931
interface=None, use_ipv6=True, socketfd=None):
2567
1932
"""If socketfd is set, use that file descriptor instead of
2568
1933
creating a new one with socket.socket().
2569
1934
"""
2575
1940
self.socketfd = socketfd
2576
1941
# Save the original socket.socket() function
2577
1942
self.socket_socket = socket.socket
2578
2579
1943
# To implement --socket, we monkey patch socket.socket.
2580
#
1944
#
2581
1945
# (When socketserver.TCPServer is a new-style class, we
2582
1946
# could make self.socket into a property instead of monkey
2583
1947
# patching socket.socket.)
2584
#
1948
#
2585
1949
# Create a one-time-only replacement for socket.socket()
2586
1950
@functools.wraps(socket.socket)
2587
1951
def socket_wrapper(*args, **kwargs):
2599
1963
# socket_wrapper(), if socketfd was set.
2600
1964
socketserver.TCPServer.__init__(self, server_address,
2601
1965
RequestHandlerClass)
2602
1966
2603
1967
def server_bind(self):
2604
1968
"""This overrides the normal server_bind() function
2605
1969
to bind to an interface if one was specified, and also NOT to
2606
1970
bind to an address or port if they were not specified."""
2607
global SO_BINDTODEVICE
2608
1971
if self.interface is not None:
2609
1972
if SO_BINDTODEVICE is None:
2610
# Fall back to a hard-coded value which seems to be
2611
# common enough.
2612
logger.warning("SO_BINDTODEVICE not found, trying 25")
2613
SO_BINDTODEVICE = 25
2614
try:
2615
self.socket.setsockopt(
2616
socket.SOL_SOCKET, SO_BINDTODEVICE,
2617
(self.interface + "\0").encode("utf-8"))
2618
except socket.error as error:
2619
if error.errno == errno.EPERM:
2620
logger.error("No permission to bind to"
2621
" interface %s", self.interface)
2622
elif error.errno == errno.ENOPROTOOPT:
2623
logger.error("SO_BINDTODEVICE not available;"
2624
" cannot bind to interface %s",
2625
self.interface)
2626
elif error.errno == errno.ENODEV:
2627
logger.error("Interface %s does not exist,"
2628
" cannot bind", self.interface)
2629
else:
2630
raise
1973
logger.error("SO_BINDTODEVICE does not exist;"
1974
" cannot bind to interface %s",
1975
self.interface)
1976
else:
1977
try:
1978
self.socket.setsockopt(socket.SOL_SOCKET,
1979
SO_BINDTODEVICE,
1980
str(self.interface + '\0'))
1981
except socket.error as error:
1982
if error.errno == errno.EPERM:
1983
logger.error("No permission to bind to"
1984
" interface %s", self.interface)
1985
elif error.errno == errno.ENOPROTOOPT:
1986
logger.error("SO_BINDTODEVICE not available;"
1987
" cannot bind to interface %s",
1988
self.interface)
1989
elif error.errno == errno.ENODEV:
1990
logger.error("Interface %s does not exist,"
1991
" cannot bind", self.interface)
1992
else:
1993
raise
2631
1994
# Only bind(2) the socket if we really need to.
2632
1995
if self.server_address[0] or self.server_address[1]:
2633
if self.server_address[1]:
2634
self.allow_reuse_address = True
2635
1996
if not self.server_address[0]:
2636
1997
if self.address_family == socket.AF_INET6:
2637
any_address = "::" # in6addr_any
1998
any_address = "::" # in6addr_any
2638
1999
else:
2639
any_address = "0.0.0.0" # INADDR_ANY
2000
any_address = "0.0.0.0" # INADDR_ANY
2640
2001
self.server_address = (any_address,
2641
2002
self.server_address[1])
2642
2003
elif not self.server_address[1]:
2643
self.server_address = (self.server_address[0], 0)
2004
self.server_address = (self.server_address[0],
2005
0)
2644
2006
# if self.interface:
2645
2007
# self.server_address = (self.server_address[0],
2646
2008
# 0, # port
2652
2014
2653
2015
class MandosServer(IPv6_TCPServer):
2654
2016
"""Mandos server.
2655
2017
2656
2018
Attributes:
2657
2019
clients: set of Client objects
2658
2020
gnutls_priority GnuTLS priority string
2659
2021
use_dbus: Boolean; to emit D-Bus signals or not
2660
2661
Assumes a GLib.MainLoop event loop.
2022
2023
Assumes a gobject.MainLoop event loop.
2662
2024
"""
2663
2664
2025
def __init__(self, server_address, RequestHandlerClass,
2665
interface=None,
2666
use_ipv6=True,
2667
clients=None,
2668
gnutls_priority=None,
2669
use_dbus=True,
2670
socketfd=None):
2026
interface=None, use_ipv6=True, clients=None,
2027
gnutls_priority=None, use_dbus=True, socketfd=None):
2671
2028
self.enabled = False
2672
2029
self.clients = clients
2673
2030
if self.clients is None:
2676
2033
self.gnutls_priority = gnutls_priority
2677
2034
IPv6_TCPServer.__init__(self, server_address,
2678
2035
RequestHandlerClass,
2679
interface=interface,
2680
use_ipv6=use_ipv6,
2681
socketfd=socketfd)
2682
2036
interface = interface,
2037
use_ipv6 = use_ipv6,
2038
socketfd = socketfd)
2683
2039
def server_activate(self):
2684
2040
if self.enabled:
2685
2041
return socketserver.TCPServer.server_activate(self)
2686
2042
2687
2043
def enable(self):
2688
2044
self.enabled = True
2689
2045
2690
2046
def add_pipe(self, parent_pipe, proc):
2691
2047
# Call "handle_ipc" for both data and EOF events
2692
GLib.io_add_watch(
2693
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2694
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2695
functools.partial(self.handle_ipc,
2696
parent_pipe=parent_pipe,
2697
proc=proc))
2698
2699
def handle_ipc(self, source, condition,
2700
parent_pipe=None,
2701
proc=None,
2702
client_object=None):
2048
gobject.io_add_watch(parent_pipe.fileno(),
2049
gobject.IO_IN | gobject.IO_HUP,
2050
functools.partial(self.handle_ipc,
2051
parent_pipe =
2052
parent_pipe,
2053
proc = proc))
2054
2055
def handle_ipc(self, source, condition, parent_pipe=None,
2056
proc = None, client_object=None):
2703
2057
# error, or the other end of multiprocessing.Pipe has closed
2704
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2058
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2705
2059
# Wait for other process to exit
2706
2060
proc.join()
2707
2061
return False
2708
2062
2709
2063
# Read a request from the child
2710
2064
request = parent_pipe.recv()
2711
2065
command = request[0]
2712
2066
2713
2067
if command == 'init':
2714
key_id = request[1].decode("ascii")
2715
fpr = request[2].decode("ascii")
2716
address = request[3]
2717
2718
for c in self.clients.values():
2719
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2720
continue
2721
if key_id and c.key_id == key_id:
2722
client = c
2723
break
2724
if fpr and c.fingerprint == fpr:
2068
fpr = request[1]
2069
address = request[2]
2070
2071
for c in self.clients.itervalues():
2072
if c.fingerprint == fpr:
2725
2073
client = c
2726
2074
break
2727
2075
else:
2728
logger.info("Client not found for key ID: %s, address"
2729
": %s", key_id or fpr, address)
2076
logger.info("Client not found for fingerprint: %s, ad"
2077
"dress: %s", fpr, address)
2730
2078
if self.use_dbus:
2731
2079
# Emit D-Bus signal
2732
mandos_dbus_service.ClientNotFound(key_id or fpr,
2080
mandos_dbus_service.ClientNotFound(fpr,
2733
2081
address[0])
2734
2082
parent_pipe.send(False)
2735
2083
return False
2736
2737
GLib.io_add_watch(
2738
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2739
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2740
functools.partial(self.handle_ipc,
2741
parent_pipe=parent_pipe,
2742
proc=proc,
2743
client_object=client))
2084
2085
gobject.io_add_watch(parent_pipe.fileno(),
2086
gobject.IO_IN | gobject.IO_HUP,
2087
functools.partial(self.handle_ipc,
2088
parent_pipe =
2089
parent_pipe,
2090
proc = proc,
2091
client_object =
2092
client))
2744
2093
parent_pipe.send(True)
2745
2094
# remove the old hook in favor of the new above hook on
2746
2095
# same fileno
2749
2098
funcname = request[1]
2750
2099
args = request[2]
2751
2100
kwargs = request[3]
2752
2101
2753
2102
parent_pipe.send(('data', getattr(client_object,
2754
2103
funcname)(*args,
2755
**kwargs)))
2756
2104
**kwargs)))
2105
2757
2106
if command == 'getattr':
2758
2107
attrname = request[1]
2759
if isinstance(client_object.__getattribute__(attrname),
2760
collections.abc.Callable):
2761
parent_pipe.send(('function', ))
2108
if callable(client_object.__getattribute__(attrname)):
2109
parent_pipe.send(('function',))
2762
2110
else:
2763
parent_pipe.send((
2764
'data', client_object.__getattribute__(attrname)))
2765
2111
parent_pipe.send(('data', client_object
2112
.__getattribute__(attrname)))
2113
2766
2114
if command == 'setattr':
2767
2115
attrname = request[1]
2768
2116
value = request[2]
2769
2117
setattr(client_object, attrname, value)
2770
2118
2771
2119
return True
2772
2120
2773
2121
2774
2122
def rfc3339_duration_to_delta(duration):
2775
2123
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2776
2777
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2778
True
2779
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2780
True
2781
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2782
True
2783
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2784
True
2785
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2786
True
2787
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2788
True
2789
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2790
True
2124
2125
>>> rfc3339_duration_to_delta("P7D")
2126
datetime.timedelta(7)
2127
>>> rfc3339_duration_to_delta("PT60S")
2128
datetime.timedelta(0, 60)
2129
>>> rfc3339_duration_to_delta("PT60M")
2130
datetime.timedelta(0, 3600)
2131
>>> rfc3339_duration_to_delta("PT24H")
2132
datetime.timedelta(1)
2133
>>> rfc3339_duration_to_delta("P1W")
2134
datetime.timedelta(7)
2135
>>> rfc3339_duration_to_delta("PT5M30S")
2136
datetime.timedelta(0, 330)
2137
>>> rfc3339_duration_to_delta("P1DT3M20S")
2138
datetime.timedelta(1, 200)
2791
2139
"""
2792
2140
2793
2141
# Parsing an RFC 3339 duration with regular expressions is not
2794
2142
# possible - there would have to be multiple places for the same
2795
2143
# values, like seconds. The current code, while more esoteric, is
2796
2144
# cleaner without depending on a parsing library. If Python had a
2797
2145
# built-in library for parsing we would use it, but we'd like to
2798
2146
# avoid excessive use of external libraries.
2799
2147
2800
2148
# New type for defining tokens, syntax, and semantics all-in-one
2801
Token = collections.namedtuple("Token", (
2802
"regexp", # To match token; if "value" is not None, must have
2803
# a "group" containing digits
2804
"value", # datetime.timedelta or None
2805
"followers")) # Tokens valid after this token
2149
Token = collections.namedtuple("Token",
2150
("regexp", # To match token; if
2151
# "value" is not None,
2152
# must have a "group"
2153
# containing digits
2154
"value", # datetime.timedelta or
2155
# None
2156
"followers")) # Tokens valid after
2157
# this token
2806
2158
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2807
2159
# the "duration" ABNF definition in RFC 3339, Appendix A.
2808
2160
token_end = Token(re.compile(r"$"), None, frozenset())
2809
2161
token_second = Token(re.compile(r"(\d+)S"),
2810
2162
datetime.timedelta(seconds=1),
2811
frozenset((token_end, )))
2163
frozenset((token_end,)))
2812
2164
token_minute = Token(re.compile(r"(\d+)M"),
2813
2165
datetime.timedelta(minutes=1),
2814
2166
frozenset((token_second, token_end)))
2830
2182
frozenset((token_month, token_end)))
2831
2183
token_week = Token(re.compile(r"(\d+)W"),
2832
2184
datetime.timedelta(weeks=1),
2833
frozenset((token_end, )))
2185
frozenset((token_end,)))
2834
2186
token_duration = Token(re.compile(r"P"), None,
2835
2187
frozenset((token_year, token_month,
2836
2188
token_day, token_time,
2837
token_week)))
2838
# Define starting values:
2839
# Value so far
2840
value = datetime.timedelta()
2189
token_week))),
2190
# Define starting values
2191
value = datetime.timedelta() # Value so far
2841
2192
found_token = None
2842
# Following valid tokens
2843
followers = frozenset((token_duration, ))
2844
# String left to parse
2845
s = duration
2193
followers = frozenset(token_duration,) # Following valid tokens
2194
s = duration # String left to parse
2846
2195
# Loop until end token is found
2847
2196
while found_token is not token_end:
2848
2197
# Search for any currently valid tokens
2864
2213
break
2865
2214
else:
2866
2215
# No currently valid tokens were found
2867
raise ValueError("Invalid RFC 3339 duration: {!r}"
2868
.format(duration))
2216
raise ValueError("Invalid RFC 3339 duration")
2869
2217
# End token found
2870
2218
return value
2871
2219
2872
2220
2873
2221
def string_to_delta(interval):
2874
2222
"""Parse a string and return a datetime.timedelta
2875
2876
>>> string_to_delta('7d') == datetime.timedelta(7)
2877
True
2878
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2879
True
2880
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2881
True
2882
>>> string_to_delta('24h') == datetime.timedelta(1)
2883
True
2884
>>> string_to_delta('1w') == datetime.timedelta(7)
2885
True
2886
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2887
True
2223
2224
>>> string_to_delta('7d')
2225
datetime.timedelta(7)
2226
>>> string_to_delta('60s')
2227
datetime.timedelta(0, 60)
2228
>>> string_to_delta('60m')
2229
datetime.timedelta(0, 3600)
2230
>>> string_to_delta('24h')
2231
datetime.timedelta(1)
2232
>>> string_to_delta('1w')
2233
datetime.timedelta(7)
2234
>>> string_to_delta('5m 30s')
2235
datetime.timedelta(0, 330)
2888
2236
"""
2889
2237
2890
2238
try:
2891
2239
return rfc3339_duration_to_delta(interval)
2892
2240
except ValueError:
2893
2241
pass
2894
2242
2895
2243
timevalue = datetime.timedelta(0)
2896
2244
for s in interval.split():
2897
2245
try:
2898
suffix = s[-1]
2246
suffix = unicode(s[-1])
2899
2247
value = int(s[:-1])
2900
2248
if suffix == "d":
2901
2249
delta = datetime.timedelta(value)
2908
2256
elif suffix == "w":
2909
2257
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
2910
2258
else:
2911
raise ValueError("Unknown suffix {!r}".format(suffix))
2912
except IndexError as e:
2259
raise ValueError("Unknown suffix {0!r}"
2260
.format(suffix))
2261
except (ValueError, IndexError) as e:
2913
2262
raise ValueError(*(e.args))
2914
2263
timevalue += delta
2915
2264
return timevalue
2916
2265
2917
2266
2918
def daemon(nochdir=False, noclose=False):
2267
def daemon(nochdir = False, noclose = False):
2919
2268
"""See daemon(3). Standard BSD Unix function.
2920
2269
2921
2270
This should really exist as os.daemon, but it doesn't (yet)."""
2922
2271
if os.fork():
2923
2272
sys.exit()
2931
2280
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2932
2281
if not stat.S_ISCHR(os.fstat(null).st_mode):
2933
2282
raise OSError(errno.ENODEV,
2934
"{} not a character device"
2283
"{0} not a character device"
2935
2284
.format(os.devnull))
2936
2285
os.dup2(null, sys.stdin.fileno())
2937
2286
os.dup2(null, sys.stdout.fileno())
2941
2290
2942
2291
2943
2292
def main():
2944
2293
2945
2294
##################################################################
2946
2295
# Parsing of options, both command line and config file
2947
2296
2948
2297
parser = argparse.ArgumentParser()
2949
2298
parser.add_argument("-v", "--version", action="version",
2950
version="%(prog)s {}".format(version),
2299
version = "%(prog)s {0}".format(version),
2951
2300
help="show version number and exit")
2952
2301
parser.add_argument("-i", "--interface", metavar="IF",
2953
2302
help="Bind to interface IF")
2986
2335
help="Directory to save/restore state in")
2987
2336
parser.add_argument("--foreground", action="store_true",
2988
2337
help="Run in foreground", default=None)
2989
parser.add_argument("--no-zeroconf", action="store_false",
2990
dest="zeroconf", help="Do not use Zeroconf",
2991
default=None)
2992
2338
2993
2339
options = parser.parse_args()
2994
2340
2341
if options.check:
2342
import doctest
2343
doctest.testmod()
2344
sys.exit()
2345
2995
2346
# Default values for config file for server-global settings
2996
if gnutls.has_rawpk:
2997
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2998
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2999
else:
3000
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3001
":+SIGN-DSA-SHA256")
3002
server_defaults = {"interface": "",
3003
"address": "",
3004
"port": "",
3005
"debug": "False",
3006
"priority": priority,
3007
"servicename": "Mandos",
3008
"use_dbus": "True",
3009
"use_ipv6": "True",
3010
"debuglevel": "",
3011
"restore": "True",
3012
"socket": "",
3013
"statedir": "/var/lib/mandos",
3014
"foreground": "False",
3015
"zeroconf": "True",
3016
}
3017
del priority
3018
2347
server_defaults = { "interface": "",
2348
"address": "",
2349
"port": "",
2350
"debug": "False",
2351
"priority":
2352
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
2353
"servicename": "Mandos",
2354
"use_dbus": "True",
2355
"use_ipv6": "True",
2356
"debuglevel": "",
2357
"restore": "True",
2358
"socket": "",
2359
"statedir": "/var/lib/mandos",
2360
"foreground": "False",
2361
}
2362
3019
2363
# Parse config file for server-global settings
3020
server_config = configparser.ConfigParser(server_defaults)
2364
server_config = configparser.SafeConfigParser(server_defaults)
3021
2365
del server_defaults
3022
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3023
# Convert the ConfigParser object to a dict
2366
server_config.read(os.path.join(options.configdir,
2367
"mandos.conf"))
2368
# Convert the SafeConfigParser object to a dict
3024
2369
server_settings = server_config.defaults()
3025
2370
# Use the appropriate methods on the non-string config options
3026
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3027
"foreground", "zeroconf"):
2371
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3028
2372
server_settings[option] = server_config.getboolean("DEFAULT",
3029
2373
option)
3030
2374
if server_settings["port"]:
3040
2384
server_settings["socket"] = os.dup(server_settings
3041
2385
["socket"])
3042
2386
del server_config
3043
2387
3044
2388
# Override the settings from the config file with command line
3045
2389
# options, if set.
3046
2390
for option in ("interface", "address", "port", "debug",
3047
"priority", "servicename", "configdir", "use_dbus",
3048
"use_ipv6", "debuglevel", "restore", "statedir",
3049
"socket", "foreground", "zeroconf"):
2391
"priority", "servicename", "configdir",
2392
"use_dbus", "use_ipv6", "debuglevel", "restore",
2393
"statedir", "socket", "foreground"):
3050
2394
value = getattr(options, option)
3051
2395
if value is not None:
3052
2396
server_settings[option] = value
3053
2397
del options
3054
2398
# Force all strings to be unicode
3055
2399
for option in server_settings.keys():
3056
if isinstance(server_settings[option], bytes):
3057
server_settings[option] = (server_settings[option]
3058
.decode("utf-8"))
2400
if type(server_settings[option]) is str:
2401
server_settings[option] = unicode(server_settings[option])
3059
2402
# Force all boolean options to be boolean
3060
2403
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3061
"foreground", "zeroconf"):
2404
"foreground"):
3062
2405
server_settings[option] = bool(server_settings[option])
3063
2406
# Debug implies foreground
3064
2407
if server_settings["debug"]:
3065
2408
server_settings["foreground"] = True
3066
2409
# Now we have our good server settings in "server_settings"
3067
2410
3068
2411
##################################################################
3069
3070
if (not server_settings["zeroconf"]
3071
and not (server_settings["port"]
3072
or server_settings["socket"] != "")):
3073
parser.error("Needs port or socket to work without Zeroconf")
3074
2412
3075
2413
# For convenience
3076
2414
debug = server_settings["debug"]
3077
2415
debuglevel = server_settings["debuglevel"]
3080
2418
stored_state_path = os.path.join(server_settings["statedir"],
3081
2419
stored_state_file)
3082
2420
foreground = server_settings["foreground"]
3083
zeroconf = server_settings["zeroconf"]
3084
2421
3085
2422
if debug:
3086
2423
initlogger(debug, logging.DEBUG)
3087
2424
else:
3090
2427
else:
3091
2428
level = getattr(logging, debuglevel.upper())
3092
2429
initlogger(debug, level)
3093
2430
3094
2431
if server_settings["servicename"] != "Mandos":
3095
syslogger.setFormatter(
3096
logging.Formatter('Mandos ({}) [%(process)d]:'
3097
' %(levelname)s: %(message)s'.format(
3098
server_settings["servicename"])))
3099
2432
syslogger.setFormatter(logging.Formatter
2433
('Mandos ({0}) [%(process)d]:'
2434
' %(levelname)s: %(message)s'
2435
.format(server_settings
2436
["servicename"])))
2437
3100
2438
# Parse config file with clients
3101
client_config = configparser.ConfigParser(Client.client_defaults)
2439
client_config = configparser.SafeConfigParser(Client
2440
.client_defaults)
3102
2441
client_config.read(os.path.join(server_settings["configdir"],
3103
2442
"clients.conf"))
3104
2443
3105
2444
global mandos_dbus_service
3106
2445
mandos_dbus_service = None
3107
3108
socketfd = None
3109
if server_settings["socket"] != "":
3110
socketfd = server_settings["socket"]
3111
tcp_server = MandosServer(
3112
(server_settings["address"], server_settings["port"]),
3113
ClientHandler,
3114
interface=(server_settings["interface"] or None),
3115
use_ipv6=use_ipv6,
3116
gnutls_priority=server_settings["priority"],
3117
use_dbus=use_dbus,
3118
socketfd=socketfd)
2446
2447
tcp_server = MandosServer((server_settings["address"],
2448
server_settings["port"]),
2449
ClientHandler,
2450
interface=(server_settings["interface"]
2451
or None),
2452
use_ipv6=use_ipv6,
2453
gnutls_priority=
2454
server_settings["priority"],
2455
use_dbus=use_dbus,
2456
socketfd=(server_settings["socket"]
2457
or None))
3119
2458
if not foreground:
3120
2459
pidfilename = "/run/mandos.pid"
3121
2460
if not os.path.isdir("/run/."):
3122
2461
pidfilename = "/var/run/mandos.pid"
3123
2462
pidfile = None
3124
2463
try:
3125
pidfile = codecs.open(pidfilename, "w", encoding="utf-8")
2464
pidfile = open(pidfilename, "w")
3126
2465
except IOError as e:
3127
2466
logger.error("Could not open file %r", pidfilename,
3128
2467
exc_info=e)
3129
3130
for name, group in (("_mandos", "_mandos"),
3131
("mandos", "mandos"),
3132
("nobody", "nogroup")):
2468
2469
for name in ("_mandos", "mandos", "nobody"):
3133
2470
try:
3134
2471
uid = pwd.getpwnam(name).pw_uid
3135
gid = pwd.getpwnam(group).pw_gid
2472
gid = pwd.getpwnam(name).pw_gid
3136
2473
break
3137
2474
except KeyError:
3138
2475
continue
3142
2479
try:
3143
2480
os.setgid(gid)
3144
2481
os.setuid(uid)
3145
if debug:
3146
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3147
gid))
3148
2482
except OSError as error:
3149
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3150
.format(uid, gid, os.strerror(error.errno)))
3151
2483
if error.errno != errno.EPERM:
3152
raise
3153
2484
raise error
2485
3154
2486
if debug:
3155
2487
# Enable all possible GnuTLS debugging
3156
2488
3157
2489
# "Use a log level over 10 to enable all debugging options."
3158
2490
# - GnuTLS manual
3159
gnutls.global_set_log_level(11)
3160
3161
@gnutls.log_func
2491
gnutls.library.functions.gnutls_global_set_log_level(11)
2492
2493
@gnutls.library.types.gnutls_log_func
3162
2494
def debug_gnutls(level, string):
3163
2495
logger.debug("GnuTLS: %s", string[:-1])
3164
3165
gnutls.global_set_log_function(debug_gnutls)
3166
2496
2497
(gnutls.library.functions
2498
.gnutls_global_set_log_function(debug_gnutls))
2499
3167
2500
# Redirect stdin so all checkers get /dev/null
3168
2501
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3169
2502
os.dup2(null, sys.stdin.fileno())
3170
2503
if null > 2:
3171
2504
os.close(null)
3172
2505
3173
2506
# Need to fork before connecting to D-Bus
3174
2507
if not foreground:
3175
2508
# Close all input and output, do double fork, etc.
3176
2509
daemon()
3177
3178
if gi.version_info < (3, 10, 2):
3179
# multiprocessing will use threads, so before we use GLib we
3180
# need to inform GLib that threads will be used.
3181
GLib.threads_init()
3182
2510
2511
# multiprocessing will use threads, so before we use gobject we
2512
# need to inform gobject that threads will be used.
2513
gobject.threads_init()
2514
3183
2515
global main_loop
3184
2516
# From the Avahi example code
3185
2517
DBusGMainLoop(set_as_default=True)
3186
main_loop = GLib.MainLoop()
2518
main_loop = gobject.MainLoop()
3187
2519
bus = dbus.SystemBus()
3188
2520
# End of Avahi example code
3189
2521
if use_dbus:
3190
2522
try:
3191
2523
bus_name = dbus.service.BusName("se.recompile.Mandos",
3192
bus,
3193
do_not_queue=True)
3194
old_bus_name = dbus.service.BusName(
3195
"se.bsnet.fukt.Mandos", bus,
3196
do_not_queue=True)
3197
except dbus.exceptions.DBusException as e:
2524
bus, do_not_queue=True)
2525
old_bus_name = (dbus.service.BusName
2526
("se.bsnet.fukt.Mandos", bus,
2527
do_not_queue=True))
2528
except dbus.exceptions.NameExistsException as e:
3198
2529
logger.error("Disabling D-Bus:", exc_info=e)
3199
2530
use_dbus = False
3200
2531
server_settings["use_dbus"] = False
3201
2532
tcp_server.use_dbus = False
3202
if zeroconf:
3203
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3204
service = AvahiServiceToSyslog(
3205
name=server_settings["servicename"],
3206
servicetype="_mandos._tcp",
3207
protocol=protocol,
3208
bus=bus)
3209
if server_settings["interface"]:
3210
service.interface = if_nametoindex(
3211
server_settings["interface"].encode("utf-8"))
3212
2533
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2534
service = AvahiServiceToSyslog(name =
2535
server_settings["servicename"],
2536
servicetype = "_mandos._tcp",
2537
protocol = protocol, bus = bus)
2538
if server_settings["interface"]:
2539
service.interface = (if_nametoindex
2540
(str(server_settings["interface"])))
2541
3213
2542
global multiprocessing_manager
3214
2543
multiprocessing_manager = multiprocessing.Manager()
3215
2544
3216
2545
client_class = Client
3217
2546
if use_dbus:
3218
client_class = functools.partial(ClientDBus, bus=bus)
3219
2547
client_class = functools.partial(ClientDBus, bus = bus)
2548
3220
2549
client_settings = Client.config_parser(client_config)
3221
2550
old_client_settings = {}
3222
2551
clients_data = {}
3223
2552
3224
2553
# This is used to redirect stdout and stderr for checker processes
3225
2554
global wnull
3226
wnull = open(os.devnull, "w") # A writable /dev/null
2555
wnull = open(os.devnull, "w") # A writable /dev/null
3227
2556
# Only used if server is running in foreground but not in debug
3228
2557
# mode
3229
2558
if debug or not foreground:
3230
2559
wnull.close()
3231
2560
3232
2561
# Get client data and settings from last running state.
3233
2562
if server_settings["restore"]:
3234
2563
try:
3235
2564
with open(stored_state_path, "rb") as stored_state:
3236
if sys.version_info.major == 2:
3237
clients_data, old_client_settings = pickle.load(
3238
stored_state)
3239
else:
3240
bytes_clients_data, bytes_old_client_settings = (
3241
pickle.load(stored_state, encoding="bytes"))
3242
# Fix bytes to strings
3243
# clients_data
3244
# .keys()
3245
clients_data = {(key.decode("utf-8")
3246
if isinstance(key, bytes)
3247
else key): value
3248
for key, value in
3249
bytes_clients_data.items()}
3250
del bytes_clients_data
3251
for key in clients_data:
3252
value = {(k.decode("utf-8")
3253
if isinstance(k, bytes) else k): v
3254
for k, v in
3255
clients_data[key].items()}
3256
clients_data[key] = value
3257
# .client_structure
3258
value["client_structure"] = [
3259
(s.decode("utf-8")
3260
if isinstance(s, bytes)
3261
else s) for s in
3262
value["client_structure"]]
3263
# .name, .host, and .checker_command
3264
for k in ("name", "host", "checker_command"):
3265
if isinstance(value[k], bytes):
3266
value[k] = value[k].decode("utf-8")
3267
if "key_id" not in value:
3268
value["key_id"] = ""
3269
elif "fingerprint" not in value:
3270
value["fingerprint"] = ""
3271
# old_client_settings
3272
# .keys()
3273
old_client_settings = {
3274
(key.decode("utf-8")
3275
if isinstance(key, bytes)
3276
else key): value
3277
for key, value in
3278
bytes_old_client_settings.items()}
3279
del bytes_old_client_settings
3280
# .host and .checker_command
3281
for value in old_client_settings.values():
3282
for attribute in ("host", "checker_command"):
3283
if isinstance(value[attribute], bytes):
3284
value[attribute] = (value[attribute]
3285
.decode("utf-8"))
2565
clients_data, old_client_settings = (pickle.load
2566
(stored_state))
3286
2567
os.remove(stored_state_path)
3287
2568
except IOError as e:
3288
2569
if e.errno == errno.ENOENT:
3289
logger.warning("Could not load persistent state:"
3290
" {}".format(os.strerror(e.errno)))
2570
logger.warning("Could not load persistent state: {0}"
2571
.format(os.strerror(e.errno)))
3291
2572
else:
3292
2573
logger.critical("Could not load persistent state:",
3293
2574
exc_info=e)
3294
2575
raise
3295
2576
except EOFError as e:
3296
2577
logger.warning("Could not load persistent state: "
3297
"EOFError:",
3298
exc_info=e)
3299
2578
"EOFError:", exc_info=e)
2579
3300
2580
with PGPEngine() as pgp:
3301
for client_name, client in clients_data.items():
2581
for client_name, client in clients_data.iteritems():
3302
2582
# Skip removed clients
3303
2583
if client_name not in client_settings:
3304
2584
continue
3305
2585
3306
2586
# Decide which value to use after restoring saved state.
3307
2587
# We have three different values: Old config file,
3308
2588
# new config file, and saved state.
3313
2593
# For each value in new config, check if it
3314
2594
# differs from the old config value (Except for
3315
2595
# the "secret" attribute)
3316
if (name != "secret"
3317
and (value !=
3318
old_client_settings[client_name][name])):
2596
if (name != "secret" and
2597
value != old_client_settings[client_name]
2598
[name]):
3319
2599
client[name] = value
3320
2600
except KeyError:
3321
2601
pass
3322
2602
3323
2603
# Clients who has passed its expire date can still be
3324
# enabled if its last checker was successful. A Client
2604
# enabled if its last checker was successful. Clients
3325
2605
# whose checker succeeded before we stored its state is
3326
2606
# assumed to have successfully run all checkers during
3327
2607
# downtime.
3329
2609
if datetime.datetime.utcnow() >= client["expires"]:
3330
2610
if not client["last_checked_ok"]:
3331
2611
logger.warning(
3332
"disabling client {} - Client never "
3333
"performed a successful checker".format(
3334
client_name))
2612
"disabling client {0} - Client never "
2613
"performed a successful checker"
2614
.format(client_name))
3335
2615
client["enabled"] = False
3336
2616
elif client["last_checker_status"] != 0:
3337
2617
logger.warning(
3338
"disabling client {} - Client last"
3339
" checker failed with error code"
3340
" {}".format(
3341
client_name,
3342
client["last_checker_status"]))
2618
"disabling client {0} - Client "
2619
"last checker failed with error code {1}"
2620
.format(client_name,
2621
client["last_checker_status"]))
3343
2622
client["enabled"] = False
3344
2623
else:
3345
client["expires"] = (
3346
datetime.datetime.utcnow()
3347
+ client["timeout"])
2624
client["expires"] = (datetime.datetime
2625
.utcnow()
2626
+ client["timeout"])
3348
2627
logger.debug("Last checker succeeded,"
3349
" keeping {} enabled".format(
3350
client_name))
2628
" keeping {0} enabled"
2629
.format(client_name))
3351
2630
try:
3352
client["secret"] = pgp.decrypt(
3353
client["encrypted_secret"],
3354
client_settings[client_name]["secret"])
2631
client["secret"] = (
2632
pgp.decrypt(client["encrypted_secret"],
2633
client_settings[client_name]
2634
["secret"]))
3355
2635
except PGPError:
3356
2636
# If decryption fails, we use secret from new settings
3357
logger.debug("Failed to decrypt {} old secret".format(
3358
client_name))
3359
client["secret"] = (client_settings[client_name]
3360
["secret"])
3361
2637
logger.debug("Failed to decrypt {0} old secret"
2638
.format(client_name))
2639
client["secret"] = (
2640
client_settings[client_name]["secret"])
2641
3362
2642
# Add/remove clients based on new changes made to config
3363
2643
for client_name in (set(old_client_settings)
3364
2644
- set(client_settings)):
3366
2646
for client_name in (set(client_settings)
3367
2647
- set(old_client_settings)):
3368
2648
clients_data[client_name] = client_settings[client_name]
3369
2649
3370
2650
# Create all client objects
3371
for client_name, client in clients_data.items():
2651
for client_name, client in clients_data.iteritems():
3372
2652
tcp_server.clients[client_name] = client_class(
3373
name=client_name,
3374
settings=client,
3375
server_settings=server_settings)
3376
2653
name = client_name, settings = client,
2654
server_settings = server_settings)
2655
3377
2656
if not tcp_server.clients:
3378
2657
logger.warning("No clients defined")
3379
2658
3380
2659
if not foreground:
3381
2660
if pidfile is not None:
3382
pid = os.getpid()
3383
2661
try:
3384
2662
with pidfile:
3385
print(pid, file=pidfile)
2663
pid = os.getpid()
2664
pidfile.write(str(pid) + "\n".encode("utf-8"))
3386
2665
except IOError:
3387
2666
logger.error("Could not write to file %r with PID %d",
3388
2667
pidfilename, pid)
3389
2668
del pidfile
3390
2669
del pidfilename
3391
3392
for termsig in (signal.SIGHUP, signal.SIGTERM):
3393
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3394
lambda: main_loop.quit() and False)
3395
2670
2671
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2672
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2673
3396
2674
if use_dbus:
3397
3398
@alternate_dbus_interfaces(
3399
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
3400
class MandosDBusService(DBusObjectWithObjectManager):
2675
@alternate_dbus_interfaces({"se.recompile.Mandos":
2676
"se.bsnet.fukt.Mandos"})
2677
class MandosDBusService(DBusObjectWithProperties):
3401
2678
"""A D-Bus proxy object"""
3402
3403
2679
def __init__(self):
3404
2680
dbus.service.Object.__init__(self, bus, "/")
3405
3406
2681
_interface = "se.recompile.Mandos"
3407
2682
2683
@dbus_interface_annotations(_interface)
2684
def _foo(self):
2685
return { "org.freedesktop.DBus.Property"
2686
".EmitsChangedSignal":
2687
"false"}
2688
3408
2689
@dbus.service.signal(_interface, signature="o")
3409
2690
def ClientAdded(self, objpath):
3410
2691
"D-Bus signal"
3411
2692
pass
3412
2693
3413
2694
@dbus.service.signal(_interface, signature="ss")
3414
def ClientNotFound(self, key_id, address):
2695
def ClientNotFound(self, fingerprint, address):
3415
2696
"D-Bus signal"
3416
2697
pass
3417
3418
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3419
"true"})
2698
3420
2699
@dbus.service.signal(_interface, signature="os")
3421
2700
def ClientRemoved(self, objpath, name):
3422
2701
"D-Bus signal"
3423
2702
pass
3424
3425
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3426
"true"})
2703
3427
2704
@dbus.service.method(_interface, out_signature="ao")
3428
2705
def GetAllClients(self):
3429
2706
"D-Bus method"
3430
return dbus.Array(c.dbus_object_path for c in
3431
tcp_server.clients.values())
3432
3433
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3434
"true"})
2707
return dbus.Array(c.dbus_object_path
2708
for c in
2709
tcp_server.clients.itervalues())
2710
3435
2711
@dbus.service.method(_interface,
3436
2712
out_signature="a{oa{sv}}")
3437
2713
def GetAllClientsWithProperties(self):
3438
2714
"D-Bus method"
3439
2715
return dbus.Dictionary(
3440
{c.dbus_object_path: c.GetAll(
3441
"se.recompile.Mandos.Client")
3442
for c in tcp_server.clients.values()},
2716
((c.dbus_object_path, c.GetAll(""))
2717
for c in tcp_server.clients.itervalues()),
3443
2718
signature="oa{sv}")
3444
2719
3445
2720
@dbus.service.method(_interface, in_signature="o")
3446
2721
def RemoveClient(self, object_path):
3447
2722
"D-Bus method"
3448
for c in tcp_server.clients.values():
2723
for c in tcp_server.clients.itervalues():
3449
2724
if c.dbus_object_path == object_path:
3450
2725
del tcp_server.clients[c.name]
3451
2726
c.remove_from_connection()
3452
# Don't signal the disabling
2727
# Don't signal anything except ClientRemoved
3453
2728
c.disable(quiet=True)
3454
# Emit D-Bus signal for removal
3455
self.client_removed_signal(c)
2729
# Emit D-Bus signal
2730
self.ClientRemoved(object_path, c.name)
3456
2731
return
3457
2732
raise KeyError(object_path)
3458
2733
3459
2734
del _interface
3460
3461
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3462
out_signature="a{oa{sa{sv}}}")
3463
def GetManagedObjects(self):
3464
"""D-Bus method"""
3465
return dbus.Dictionary(
3466
{client.dbus_object_path:
3467
dbus.Dictionary(
3468
{interface: client.GetAll(interface)
3469
for interface in
3470
client._get_all_interface_names()})
3471
for client in tcp_server.clients.values()})
3472
3473
def client_added_signal(self, client):
3474
"""Send the new standard signal and the old signal"""
3475
if use_dbus:
3476
# New standard signal
3477
self.InterfacesAdded(
3478
client.dbus_object_path,
3479
dbus.Dictionary(
3480
{interface: client.GetAll(interface)
3481
for interface in
3482
client._get_all_interface_names()}))
3483
# Old signal
3484
self.ClientAdded(client.dbus_object_path)
3485
3486
def client_removed_signal(self, client):
3487
"""Send the new standard signal and the old signal"""
3488
if use_dbus:
3489
# New standard signal
3490
self.InterfacesRemoved(
3491
client.dbus_object_path,
3492
client._get_all_interface_names())
3493
# Old signal
3494
self.ClientRemoved(client.dbus_object_path,
3495
client.name)
3496
2735
3497
2736
mandos_dbus_service = MandosDBusService()
3498
3499
# Save modules to variables to exempt the modules from being
3500
# unloaded before the function registered with atexit() is run.
3501
mp = multiprocessing
3502
wn = wnull
3503
2737
3504
2738
def cleanup():
3505
2739
"Cleanup function; run on exit"
3506
if zeroconf:
3507
service.cleanup()
3508
3509
mp.active_children()
3510
wn.close()
2740
service.cleanup()
2741
2742
multiprocessing.active_children()
2743
wnull.close()
3511
2744
if not (tcp_server.clients or client_settings):
3512
2745
return
3513
2746
3514
2747
# Store client before exiting. Secrets are encrypted with key
3515
2748
# based on what config file has. If config file is
3516
2749
# removed/edited, old secret will thus be unrecovable.
3517
2750
clients = {}
3518
2751
with PGPEngine() as pgp:
3519
for client in tcp_server.clients.values():
2752
for client in tcp_server.clients.itervalues():
3520
2753
key = client_settings[client.name]["secret"]
3521
2754
client.encrypted_secret = pgp.encrypt(client.secret,
3522
2755
key)
3523
2756
client_dict = {}
3524
2757
3525
2758
# A list of attributes that can not be pickled
3526
2759
# + secret.
3527
exclude = {"bus", "changedstate", "secret",
3528
"checker", "server_settings"}
3529
for name, typ in inspect.getmembers(dbus.service
3530
.Object):
2760
exclude = set(("bus", "changedstate", "secret",
2761
"checker", "server_settings"))
2762
for name, typ in (inspect.getmembers
2763
(dbus.service.Object)):
3531
2764
exclude.add(name)
3532
2765
3533
2766
client_dict["encrypted_secret"] = (client
3534
2767
.encrypted_secret)
3535
2768
for attr in client.client_structure:
3536
2769
if attr not in exclude:
3537
2770
client_dict[attr] = getattr(client, attr)
3538
2771
3539
2772
clients[client.name] = client_dict
3540
2773
del client_settings[client.name]["secret"]
3541
2774
3542
2775
try:
3543
with tempfile.NamedTemporaryFile(
3544
mode='wb',
3545
suffix=".pickle",
3546
prefix='clients-',
3547
dir=os.path.dirname(stored_state_path),
3548
delete=False) as stored_state:
3549
pickle.dump((clients, client_settings), stored_state,
3550
protocol=2)
3551
tempname = stored_state.name
2776
with (tempfile.NamedTemporaryFile
2777
(mode='wb', suffix=".pickle", prefix='clients-',
2778
dir=os.path.dirname(stored_state_path),
2779
delete=False)) as stored_state:
2780
pickle.dump((clients, client_settings), stored_state)
2781
tempname=stored_state.name
3552
2782
os.rename(tempname, stored_state_path)
3553
2783
except (IOError, OSError) as e:
3554
2784
if not debug:
3557
2787
except NameError:
3558
2788
pass
3559
2789
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
3560
logger.warning("Could not save persistent state: {}"
2790
logger.warning("Could not save persistent state: {0}"
3561
2791
.format(os.strerror(e.errno)))
3562
2792
else:
3563
2793
logger.warning("Could not save persistent state:",
3564
2794
exc_info=e)
3565
raise
3566
2795
raise e
2796
3567
2797
# Delete all clients, and settings from config
3568
2798
while tcp_server.clients:
3569
2799
name, client = tcp_server.clients.popitem()
3570
2800
if use_dbus:
3571
2801
client.remove_from_connection()
3572
# Don't signal the disabling
2802
# Don't signal anything except ClientRemoved
3573
2803
client.disable(quiet=True)
3574
# Emit D-Bus signal for removal
3575
2804
if use_dbus:
3576
mandos_dbus_service.client_removed_signal(client)
2805
# Emit D-Bus signal
2806
mandos_dbus_service.ClientRemoved(client
2807
.dbus_object_path,
2808
client.name)
3577
2809
client_settings.clear()
3578
2810
3579
2811
atexit.register(cleanup)
3580
3581
for client in tcp_server.clients.values():
2812
2813
for client in tcp_server.clients.itervalues():
3582
2814
if use_dbus:
3583
# Emit D-Bus signal for adding
3584
mandos_dbus_service.client_added_signal(client)
2815
# Emit D-Bus signal
2816
mandos_dbus_service.ClientAdded(client.dbus_object_path)
3585
2817
# Need to initiate checking of clients
3586
2818
if client.enabled:
3587
2819
client.init_checker()
3588
2820
3589
2821
tcp_server.enable()
3590
2822
tcp_server.server_activate()
3591
2823
3592
2824
# Find out what port we got
3593
if zeroconf:
3594
service.port = tcp_server.socket.getsockname()[1]
2825
service.port = tcp_server.socket.getsockname()[1]
3595
2826
if use_ipv6:
3596
2827
logger.info("Now listening on address %r, port %d,"
3597
2828
" flowinfo %d, scope_id %d",
3599
2830
else: # IPv4
3600
2831
logger.info("Now listening on address %r, port %d",
3601
2832
*tcp_server.socket.getsockname())
3602
3603
# service.interface = tcp_server.socket.getsockname()[3]
3604
2833
2834
#service.interface = tcp_server.socket.getsockname()[3]
2835
3605
2836
try:
3606
if zeroconf:
3607
# From the Avahi example code
3608
try:
3609
service.activate()
3610
except dbus.exceptions.DBusException as error:
3611
logger.critical("D-Bus Exception", exc_info=error)
3612
cleanup()
3613
sys.exit(1)
3614
# End of Avahi example code
3615
3616
GLib.io_add_watch(
3617
GLib.IOChannel.unix_new(tcp_server.fileno()),
3618
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3619
lambda *args, **kwargs: (tcp_server.handle_request
3620
(*args[2:], **kwargs) or True))
3621
2837
# From the Avahi example code
2838
try:
2839
service.activate()
2840
except dbus.exceptions.DBusException as error:
2841
logger.critical("D-Bus Exception", exc_info=error)
2842
cleanup()
2843
sys.exit(1)
2844
# End of Avahi example code
2845
2846
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
2847
lambda *args, **kwargs:
2848
(tcp_server.handle_request
2849
(*args[2:], **kwargs) or True))
2850
3622
2851
logger.debug("Starting main loop")
3623
2852
main_loop.run()
3624
2853
except AvahiError as error:
3633
2862
# Must run before the D-Bus bus name gets deregistered
3634
2863
cleanup()
3635
2864
3636
3637
def should_only_run_tests():
3638
parser = argparse.ArgumentParser(add_help=False)
3639
parser.add_argument("--check", action='store_true')
3640
args, unknown_args = parser.parse_known_args()
3641
run_tests = args.check
3642
if run_tests:
3643
# Remove --check argument from sys.argv
3644
sys.argv[1:] = unknown_args
3645
return run_tests
3646
3647
# Add all tests from doctest strings
3648
def load_tests(loader, tests, none):
3649
import doctest
3650
tests.addTests(doctest.DocTestSuite())
3651
return tests
3652
3653
2865
if __name__ == '__main__':
3654
try:
3655
if should_only_run_tests():
3656
# Call using ./mandos --check [--verbose]
3657
unittest.main()
3658
else:
3659
main()
3660
finally:
3661
logging.shutdown()
2866
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0